Security

Do splunk indexers check SSL certificate expiration date ?

Explorer

I've configured forwarders to use SSL certificates that are checked against the rootCA defined on the indexers.

I am wondering if the indexers will reject the certificates once we are past the expiration date of the forwarders certificates.

I am asking because those certificates are going to be setup on machines that are at our customers and, most likely, they won't be renewed afterwards.

So I need to know if Splunk indexers only checks that the certificates have been signed by the rootCA or if it also does complementary checks like the validity of the certificates.

0 Karma

SplunkTrust
SplunkTrust

Others will probably know better, but I believe the forwarders do not check certificates at all. They are provided as part of the connection process. If the certificates are expired, connections will simply fail.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Explorer

I'm asking the opposite, What are the checks done by the indexers on the certificates presented by the forwarders

0 Karma

SplunkTrust
SplunkTrust

The answer is the same - none. Certs are merely handed to the OS to use to authenticate a connection. If the cert is expired the connection fails. One would hope an error is logged, but there is no "dude, you know this isn't going to work, right?"

---
If this reply helps you, an upvote would be appreciated.
0 Karma