- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Splunk SSL Certs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk SSL Certs
I'm stepping into this splunk admin role and have multiple SSL certs expiring soon. We have 6 indexers managed by a master, 4 search heads managed by search head deployer, and thousands of universal forwarders managed by a deployer. I've read how to generate the certs and cert authority, but how should I go about distribution? Also any helpful hints on securing my environment better would be greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @walsborn,
You're in for some fun. If you have a look here :
https://answers.splunk.com/answers/92957/including-ssl-certificates-in-a-splunk-app.html
The accepted answer mentions that you have to distribute your certificates into $SPLUNK/etc/authwhich you can do via scripting, Ansible, etc... But if you check the answers underneath it, they mention using custom Splunk apps for including and distributing the certs and that also works.
You can therefore choose either of those approaches, I would say go for the one that you find easier to maintain and possibly one day handover. If you feel comfortable with changing a couple of lines in outputs.conf to point to the certs new location via a Splunk app then go for that. If you'd rather just deploy your certs using a script and be done with it without any Splunk config hassle then go for that as well 🙂
Either case configs are available online, I can help you find some docs if needed.
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good stuff David, thank you. I guess I should've been more specific with my question. We currently have custom apps that distribute our certs. My only concern or wonder if you will, is upon doing my rip and replace of all SSL certs in my environment, How are my clients going to talk to my deployment servers? And ripping and replacing SSL certs, I would think would need to be completed in a certain order to ensure all can communicate, so what would that order be?
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
