Getting Data In

Should I include indexer's 3rd party cert AND private key in forwarder configuration

trross33
Path Finder

Hello,

I am using the following documents for configuring an Indexer and Forwarder to utilize a 3rd party certificate for communication

Use SSL to encrypt and authenticate data from forwarders

Configuring Splunk forwarding to use SSL certificates signed by a third party Certificate Authority

However, I have one question that wasn't clarified in the document. Setting up the Indexer was fairly straight forward. I created a .pem file combining the server public certificate, server private key, Issuing CA public cert, and Root CA public cert. I then configured inputs.conf to work with the 3rd party issuing cert according to the documentation.

My question is:

On the forwarder, the documentation makes it seem as if you need to use this same .pem file (containing server public cert, private key, issuing CA cert, and Root CA cert). It seems odd to me that the private key be required for the forwarder as well. Is the private key needed in the .pem file specified in outputs.conf (on the forwarder), or is it sufficient to use all public certificates in the .pem file specified in outputs.conf.

Thanks for any assistance. I wanted to make sure before I start copying private keys...

1 Solution

gekoner
Communicator

trross,

Yes you have to have the server's private key in the key chain where your forwarder is configured. So this should be a different private key for each server where you have a forwarder.
The reason is - This key will be used to encrypt the outgoing data FROM your forwarder client.
What you do NOT want to do is - Use the same key chain file from your Indexer. This should be a DIFFERENT key chain then the file you used on your FORWARDER. As that file would contain the private key of your Indexer, which YOU DO NOT WANT TO place on all of your forwarder client servers.
Make sense?

The document
Configuring Splunk forwarding to use SSL certificates signed by a third party Certificate Authority

is correct and is the one you want to follow.

View solution in original post

0 Karma

gekoner
Communicator

trross,

Yes you have to have the server's private key in the key chain where your forwarder is configured. So this should be a different private key for each server where you have a forwarder.
The reason is - This key will be used to encrypt the outgoing data FROM your forwarder client.
What you do NOT want to do is - Use the same key chain file from your Indexer. This should be a DIFFERENT key chain then the file you used on your FORWARDER. As that file would contain the private key of your Indexer, which YOU DO NOT WANT TO place on all of your forwarder client servers.
Make sense?

The document
Configuring Splunk forwarding to use SSL certificates signed by a third party Certificate Authority

is correct and is the one you want to follow.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...