Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Multiple forwarder certificates?

moseisleydk
Path Finder
‎09-15-2011 02:17 AM

How about setting up multiple certificates for forwarders, so that we are able to close parts of them?

I seems I can create several forwarder certificates (step 3), but how do I set up the indexer to allow/deny several of them, the

[SSL]
rootCA = $SPLUNK_HOME/etc/certs/cacert.pem
serverCert = $SPLUNK_HOME/etc/certs/splunk-idx-01.pem
password = changeme
requireClientCert = true

[splunktcp-ssl:9997]
compressed = true

Seems to allow all forwarder certificates...

Tags (1)
Reply

inventsekar
SplunkTrust
SplunkTrust
‎06-20-2017 05:22 AM

can someone please update clearly about this -
can I have two SSL certificates deployed on a single indexer? if yes, on same port or different ports?

the issue is - during Certificates renewal,
we would like to follow this process -
1. install a renewed certificate on indexer (while the old SSL certificate is still deployed)
2. deploy the renewed certificate to forwarders (while some forwarders may be still having the old certificates)
3. the UF's which got the renewed certificates will start communicating with the indexer's renewed certificate.
4. whereas, the old UF's, until certificate renewal, will still be communicating with the indexer with indexer's old certificate.

is this possible? how to add two [SSL] stanza's on outputs.conf?

[SSL]
rootCA = $SPLUNK_HOME/etc/certs/cacert.pem
serverCert = $SPLUNK_HOME/etc/certs/splunk-idx-01.pem

[SSL]
rootCA = $SPLUNK_HOME/etc/certs/renewedcacert.pem
serverCert = $SPLUNK_HOME/etc/certs/renewedsplunk-idx-01.pem

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply

hettervik
Builder
‎03-12-2020 04:35 AM

Bump. I also want to define two [SSL] stanzas, for two different server certificates. Also, one of them would require client certificate, and the other would not. Is this possible?

EDIT: Got an answer to my own question here https://answers.splunk.com/answers/549719/two-ssl-certificates-on-a-single-indexer-forwarder.html

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎09-15-2011 09:12 AM

Aadding to gkanapathy's answer, Splunk doesn't at this time support multiple root CA certs for a single splunkd. (I am 99% sure anyway.) The password there is for unlocking key on the SSL server cert.

If you need to partition these clients, you might be able to set up a "proxy" forwarder for each of them - and let that forwarder (probably a heavy forwarder) connect to the indexers on their behalf. If you do this, you'll probably need to forgo SSL between the proxy forwarder and the indexer.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-15-2011 07:36 AM

A forwarder will accept any forwarder certificate that is signed by the specified rootCA file. Since all Splunk forwarders (and servers) come with the same default Splunk rootCA file, it will accept them all. If you wish to change this, you need to use a new rootCA, and distribute appropriate new client certificates to the forwarders.

Reply

moseisleydk
Path Finder
‎09-15-2011 05:00 AM

Is it possible to set up some password required from clients, or perhaps multiple CA's - one for each client "group"

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...