How about setting up multiple certificates for forwarders, so that we are able to close parts of them?
I seems I can create several forwarder certificates (step 3), but how do I set up the indexer to allow/deny several of them, the
[SSL] rootCA = $SPLUNK_HOME/etc/certs/cacert.pem serverCert = $SPLUNK_HOME/etc/certs/splunk-idx-01.pem password = changeme requireClientCert = true [splunktcp-ssl:9997] compressed = true
Seems to allow all forwarder certificates...
can someone please update clearly about this -
can I have two SSL certificates deployed on a single indexer? if yes, on same port or different ports?
the issue is - during Certificates renewal,
we would like to follow this process -
1. install a renewed certificate on indexer (while the old SSL certificate is still deployed)
2. deploy the renewed certificate to forwarders (while some forwarders may be still having the old certificates)
3. the UF's which got the renewed certificates will start communicating with the indexer's renewed certificate.
4. whereas, the old UF's, until certificate renewal, will still be communicating with the indexer with indexer's old certificate.
is this possible? how to add two [SSL] stanza's on outputs.conf?
rootCA = $SPLUNK_HOME/etc/certs/cacert.pem
serverCert = $SPLUNK_HOME/etc/certs/splunk-idx-01.pem
rootCA = $SPLUNK_HOME/etc/certs/renewedcacert.pem
serverCert = $SPLUNK_HOME/etc/certs/renewedsplunk-idx-01.pem
Bump. I also want to define two
[SSL] stanzas, for two different server certificates. Also, one of them would require client certificate, and the other would not. Is this possible?
EDIT: Got an answer to my own question here https://answers.splunk.com/answers/549719/two-ssl-certificates-on-a-single-indexer-forwarder.html
Aadding to gkanapathy's answer, Splunk doesn't at this time support multiple root CA certs for a single splunkd. (I am 99% sure anyway.) The
password there is for unlocking key on the SSL server cert.
If you need to partition these clients, you might be able to set up a "proxy" forwarder for each of them - and let that forwarder (probably a heavy forwarder) connect to the indexers on their behalf. If you do this, you'll probably need to forgo SSL between the proxy forwarder and the indexer.
A forwarder will accept any forwarder certificate that is signed by the specified rootCA file. Since all Splunk forwarders (and servers) come with the same default Splunk rootCA file, it will accept them all. If you wish to change this, you need to use a new rootCA, and distribute appropriate new client certificates to the forwarders.