Security

Am I missing any configurations with Splunk forwarder SSL custom certificates?

SS1
Path Finder

Hi,

I have configured my windows forwarder to use the custom CA and Server certificate. Below is the configuration and the forwarder is able to connect to indexer fine.

File: C:\Program Files\SplunkUniversalForwarder\etc\system\local\outputs.conf

[tcpout]

defaultGroup = default-autolb-group

[tcpout:default-autolb-group]

server = XXX:9998

clientCert = C:\Program Files\SplunkUniversalForwarder\etc\auth\mycerts\testCertificate.pem

sslPassword = XXX

useClientSSLCompression = true

sslRootCAPath = C:\Program Files\SplunkUniversalForwarder\etc\auth\mycerts\myCAcertificate.pem

[tcpout-server://XXX:9998]

But still in the splunkd.log file i am seeing below message,

X509Verify [14596 HTTPDispatch] - X509 certificate (O=SplunkUser,CN=SplunkServerDefaultCert) should not be used, as it is issued by Splunk's own default Certificate Authority (CA). This puts your Splunk instance at very high-risk of the MITM attack. Either commercial-CA-signed or self-CA-signed certificates must be used; see: http://docs.splunk.com/Documentation/Splunk/latest/Security/Howtoself-signcertificates

 

Any idea if I am missing any configs here?

Labels (3)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Are you sure it's not related to another part of config?

To be on the safe side I'd do a tcpdump/wireshark dump and see which certs are really used on the wire.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...