Getting Data In

Should I include indexer's 3rd party cert AND private key in forwarder configuration

trross33
Path Finder

Hello,

I am using the following documents for configuring an Indexer and Forwarder to utilize a 3rd party certificate for communication

Use SSL to encrypt and authenticate data from forwarders

Configuring Splunk forwarding to use SSL certificates signed by a third party Certificate Authority

However, I have one question that wasn't clarified in the document. Setting up the Indexer was fairly straight forward. I created a .pem file combining the server public certificate, server private key, Issuing CA public cert, and Root CA public cert. I then configured inputs.conf to work with the 3rd party issuing cert according to the documentation.

My question is:

On the forwarder, the documentation makes it seem as if you need to use this same .pem file (containing server public cert, private key, issuing CA cert, and Root CA cert). It seems odd to me that the private key be required for the forwarder as well. Is the private key needed in the .pem file specified in outputs.conf (on the forwarder), or is it sufficient to use all public certificates in the .pem file specified in outputs.conf.

Thanks for any assistance. I wanted to make sure before I start copying private keys...

1 Solution

gekoner
Communicator

trross,

Yes you have to have the server's private key in the key chain where your forwarder is configured. So this should be a different private key for each server where you have a forwarder.
The reason is - This key will be used to encrypt the outgoing data FROM your forwarder client.
What you do NOT want to do is - Use the same key chain file from your Indexer. This should be a DIFFERENT key chain then the file you used on your FORWARDER. As that file would contain the private key of your Indexer, which YOU DO NOT WANT TO place on all of your forwarder client servers.
Make sense?

The document
Configuring Splunk forwarding to use SSL certificates signed by a third party Certificate Authority

is correct and is the one you want to follow.

View solution in original post

0 Karma

gekoner
Communicator

trross,

Yes you have to have the server's private key in the key chain where your forwarder is configured. So this should be a different private key for each server where you have a forwarder.
The reason is - This key will be used to encrypt the outgoing data FROM your forwarder client.
What you do NOT want to do is - Use the same key chain file from your Indexer. This should be a DIFFERENT key chain then the file you used on your FORWARDER. As that file would contain the private key of your Indexer, which YOU DO NOT WANT TO place on all of your forwarder client servers.
Make sense?

The document
Configuring Splunk forwarding to use SSL certificates signed by a third party Certificate Authority

is correct and is the one you want to follow.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...