We have a distributed Splunk enterprise deployment with the following separate components:
All servers are running on Windows.
Recently we received a message saying "server certificate is now invalid". I am going through the process of updating this certificate.
I have seen some useful comments about just refreshing this as a self-signed cert (Renewing-server-pem-certificate ), however I'm interested in seeing whether i can refresh using certificates signed by our private CA.
Again i have seen some interesting articles on this (such as this: splunk-certificates-master-guide ). However i still have a couple of questions:
Thanks (in anticipation) 🙂
Thanks for that reply. I have to admit though to still being a tad confused. 🙂
from what i understand server.pem controls all splunkd traffic including traffic between forwarder/indexer as well as traffic indexer/search head. If that is the case ... as soon as i change the certificate on my indexers then communications to other splunk nodes (search heads, cluster master and forwarders) will break until i update their certificates as well?
or is splunk able to still operate with mismatched certificates on the different endpoints? (it certainly seems to still run with the expired certs for the time being)
the search heads to query the indexers do not need to certify, for sending the logs yes, for example the internal logs, this applies to all roles.
for this I recommend to use the server classes on the deployment server to be able to make a more secure update of the certificates.
I hope you are well
before to start your activities on certificates please read this documentation
answers for your questions
Hope can help