We have two sites with two indexers per site. A total of four indexers.
I have to set up certificate-based encryption from all forwarders to Indexers.
What is the easiest way to go about setting up certificates? Can I generate one certificate for ALL forwarders and another certificate for ALL indexers ?
Any assistance is appreciated!
That is correct.
Depends on what you want to achieve. Technically, you could even use the same crypto material for all servers. But that's against any reasonable good security practices.
As a rule of thumb every subject should use its own certificate. This way you have control over authentication and authorization. Especially if we're talking about uf's which might be installed in various environments. If you installed them all with the same cert, compromise of the key from one forwarder would result in necessity to replace certs on all forwarders.
And yes, I know that management of several dozens or hundreds of forwarders with certificates is a huge PITA.
It's common practice to have a common certificate for all forwarders and individual certificates for each indexer.
Thank you. How would I generate the common certificate to be used by all forwarders?
I've read this article: https://docs.splunk.com/Documentation/Splunk/8.2.3/Security/Howtogetthird-partycertificates
I assume for the Fowarders I would not enter a common name, correct?
That is correct.