Getting Data In

How to configure 3rd party ssl-certificates to use them as public key?

New Member

The certificate configuration tutorials have unfortunately left me with some lingering questions. 
They have taught me that in order to set up a 3rd-party-signed certificate for a Splunk Enterprise server, I must:
1.create privatekey
2.create CSR, using the aforementioned private key
3.sent CSR to the CA authority of the current company
4.receive a multitude of certificates: a server cert, a CA root cert, and perhaps CA intermediate certs.
5.I can choose to combine the CAroot and CAintermediate certs to create a CAbundle.pem which i can reference to in any CAcert fields. (example: sslRootCaPath field in server.conf )
6. I need to combine the server cert, private key, and CAbundle to create a complete Splunk Enterprise signed certificate. (to be used by fields like for example inputs.conf:serverCert, or outputs.conf:sslCertPath )

So far so good. This procedure allows me to set up SSL connections between Splunk Enterprise instances.

I have two scenarios where this setup probably do not work, and I would like to know how I cán make them work: 

1) I want to deploy 100 forwarders remotely and set them so that they send their data to an indexer or heavy forwarder through SSL.
Problem: The process of getting a 3rd party signed certificate for each and every forwarder is arduous and I don't believe it can be done remotely effectively. 
My thoughts: Can I use (part of) the certification of the data receiver (IDX/HF)  as a public key which I can then send to all forwarders?
Clearly I can not use the concatenated certificate described in premise_step6, because it contains a private key.  Could I maybe use the signed servercert part that I received from the 3rd party, pre-concatenation ? 
A splunk data receiver does not necessarily have to validate the certification of a date sender, so I don't see why each universal forwarder should be equiped with its own certificate. There has to be a way to have only them check whether the indexer has valid certification somehow.

2) Say I want to connect another application (like the Infoblox Splunk Connector) to a Splunk data receiver while using SSL.
My thoughts: I expect that sending the CAbundle (premise_step5) should be enough, so that the application side can create its own certificate and perhaps combine it with the CAroot somehow.. but I guess my question is the same as before; I cannot send the concatenated .pem from premise_step6. What is the best way to set up an SSL connection to another application? 

Thanks in advance.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...