Splunk Enterprise

I have recently upgraded the UF's in my environment and receiving warning messages indicating that the Splunk instances are using Splunk's own default Certificate Authority (CA).

mbadhusha_splun
Splunk Employee
Splunk Employee

I get "X509 certificate" Issue when I try to upgrade existing forwarders to 7.x.x. I understand we would need to used self-signed certificates.

My indexers are running on Splunk 7.0.0 and I have upgraded my forwarders to Splunk 7.0.2. Will this cause any connection issues between my UF and the indexers?

1.But is it going to create any loss if we don't take any action now and take time in getting certificates self-signed?

2.If there is any loss - I found there might be "loss of communication in mixed-version Splunk environments after upgrade". Does that mean forwarder of 7.0.3 version couldn't able to forward data to indexer version 7.0.0?

  1. If we need to get the certificates "self - signed", Is there any time before which we would need to finish off this after getting the forwarders upgraded?
Tags (1)
0 Karma
1 Solution

mbadhusha_splun
Splunk Employee
Splunk Employee

You might have received this warning message while upgrading the Splunk forwarder, and this warning message indicates that your Splunk instance is using its own default Certificate Authority and suggesting you use either commercial-CA-signed or self-CA-signed certificates in order to establish SSL connections between your Splunk servers.

This does not have an impact on your environment and it is not necessary to use commercial-CA-signed or self-CA-signed certificates and you can continue using the default Splunk certificates as per your requirement.

This is default notification you will receive while upgrading UF to Splunk 7.x

"It seems that the Splunk default certificates are being used. If certificate validation is turned on using the default certificates (not-recommended), this may result in loss of communication in mixed-version Splunk environments after an upgrade."

This is a message added in Splunk UF 7.x to notify that the Splunk default certificates are being used. I have received the same message after the upgradation but the connection between the UF and indexer seems to be normal and working as expected.

I can still see that my UF is forwarding data to the indexer as expected and I believe there should not be any issues with the above warning message that you have received while upgrading your UF.

In case if you would like to use self-signed or third-party certificates instead of Splunk default certificates, please refer the below links to know more details regarding this.

1.) How to get certificates signed by a third-party
http://docs.splunk.com/Documentation/Splunk/7.0.2/Security/Howtogetthird-partycertificates

2.) How to prepare your signed certificates for Splunk authentication
http://docs.splunk.com/Documentation/Splunk/7.0.2/Security/HowtoprepareyoursignedcertificatesforSplu...

3.) Configure Splunk forwarding to use your own certificates
http://docs.splunk.com/Documentation/Splunk/7.0.2/Security/ConfigureSplunkforwardingtousesignedcerti...

Cheers,
Meeran.

View solution in original post

0 Karma

mbadhusha_splun
Splunk Employee
Splunk Employee

You might have received this warning message while upgrading the Splunk forwarder, and this warning message indicates that your Splunk instance is using its own default Certificate Authority and suggesting you use either commercial-CA-signed or self-CA-signed certificates in order to establish SSL connections between your Splunk servers.

This does not have an impact on your environment and it is not necessary to use commercial-CA-signed or self-CA-signed certificates and you can continue using the default Splunk certificates as per your requirement.

This is default notification you will receive while upgrading UF to Splunk 7.x

"It seems that the Splunk default certificates are being used. If certificate validation is turned on using the default certificates (not-recommended), this may result in loss of communication in mixed-version Splunk environments after an upgrade."

This is a message added in Splunk UF 7.x to notify that the Splunk default certificates are being used. I have received the same message after the upgradation but the connection between the UF and indexer seems to be normal and working as expected.

I can still see that my UF is forwarding data to the indexer as expected and I believe there should not be any issues with the above warning message that you have received while upgrading your UF.

In case if you would like to use self-signed or third-party certificates instead of Splunk default certificates, please refer the below links to know more details regarding this.

1.) How to get certificates signed by a third-party
http://docs.splunk.com/Documentation/Splunk/7.0.2/Security/Howtogetthird-partycertificates

2.) How to prepare your signed certificates for Splunk authentication
http://docs.splunk.com/Documentation/Splunk/7.0.2/Security/HowtoprepareyoursignedcertificatesforSplu...

3.) Configure Splunk forwarding to use your own certificates
http://docs.splunk.com/Documentation/Splunk/7.0.2/Security/ConfigureSplunkforwardingtousesignedcerti...

Cheers,
Meeran.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...