Hi guys. I have a problem with certificate revocation on Splunk forwarder. Description: There are 3 VM with Red Hat: Certification Authority (CA) - with Easy RSA installed and Apache server to publish certificates Indexer (IDX)- full Splunk server installation Forwarder(FW) - Splunk forwarder I managed to create certificate for both IDX and FW then signed them using EasyRSA on CA. System is able to establish SSL connection between IDX and FW. So far I am HAPPY. But when I use CA to revoke FW certificate Splunk is not able to detect this change and system still takes FW certificate as valid. After reworking FW certificate I have published the new CRL in /var/www/pki/crl.pem . Using browser i am able to download it and check that certificate was revoked. From /var/log/httpd/access_log I can tell that IDX or FW have never accessed the CRL. I tried to set sslCommonNameToCheck. This works fine but it is unsuitable for me because the final solution has hundreds of Forwarders and maintaining the list in sslCommonNameToCheck is too cumbersome. Also tried splunk reload crl with no success. File Settings: IDX(server.conf) [sslConfig] sslRootCAPath = /opt/splunk/etc/auth/myauth/ca.pem IDX(inputs.conf) [splunktcp-ssl:9997] disabled = 0 [SSL] serverCert = /opt/splunk/etc/auth/myauth/myNewServerCertificate.pem sslPassword = $7$qV7bjcVNcqRlm70Y1cpaazqeGFmH6nyfnNN1TSCDu82ZPhnqMw== requireClientCert = true FW(server.conf) [sslConfig] sslRootCAPath = /opt/splunkforwarder/etc/auth/myauth/ca.pem FW(outputs.conf) [tcpout] defaultGroup = indexer2 [tcpout:indexer2] server = xx.xx.xx.xx:9997 clientCert = /opt/splunkforwarder/etc/auth/myauth/myNewClientCertificate.pem sslPassword = $7$hibYhkL2wOexhWDmyBqMEk358HGFaLe4jQ8RT6ruDsEeQmS6Ww== Thank you for your time and so much needed advice.
... View more