Splunk Cloud Platform

Use Edge Processors

Obtain TLS certificates for data sources and Edge Processors

You can use mutually authenticated TLS (mTLS) to secure communications between data sources and Edge Processors. When mTLS is active, the data source and the Edge Processor must prove their identities by presenting valid TLS certificates before they can connect and communicate with each other. To configure mTLS, you must provide client certificates that validate the identity of the data source and server certificates that validate the identity of the Edge Processor.

The instructions on this page describe how to obtain the necessary TLS certificates. If you already have certificates that you'd like to use, then proceed to the following pages for information on how to configure your data source and Edge Processor to use the certificates:

The certificates that you use to configure mTLS between data sources and Edge Processors are different from the certificates that you use to configure TLS or mTLS between Edge Processors and Splunk indexers. If you are looking for instructions on configuring TLS or mTLS between Edge Processors and indexers, see the "Obtaining TLS certificates" section in Send data from Edge Processors to non-connected Splunk platform deployments using S2S or Send data from Edge Processors to non-connected Splunk platform deployments using HEC.

Configuring mTLS between data sources and Edge Processors

Configuring mTLS involves the following high-level steps:

  1. Get or generate the following certificates:
    • A client certificate, private key, and CA certificate that the data source can use to prove its identity.
    • A server certificate, private key, and CA certificate that the Edge Processor can use to prove its identity.

    Typically, each certificate is stored in a separate Privacy Enhanced Mail (PEM) file. However, if the data source is a Splunk forwarder, then you must concatenate the client certificate, private key, and CA certificate in the listed order into the same PEM file. For more information, see How to prepare TLS certificates for use with the Splunk platform in the Securing Splunk Enterprise manual.

  2. Configure your data source to use the client certificates.
  3. Upload the server certificates to your Edge Processor.
  4. The Edge Processor uses the same PEM files to prove its identity to all data sources where mTLS is used. For example, if you turn on mTLS for both Splunk forwarders and HTTP Event Collector (HEC) data sources, then the Edge Processor uses the same server-side PEM files when receiving data from both types of data sources.

The steps that you must follow to obtain TLS certificates depend on the type of certificates you intend to use. You have two options for obtaining these certificates:

If you're working with a Splunk forwarder that has the sslVerifyServerCert property in the outputs.conf file turned on, then you must use a certificate from a third party.

Generate and self-sign client and server certificates to secure communications

Follow these steps if you've chosen to create and sign your own certificates to secure communications between data sources and Edge Processors.

Before creating a certificate authority (CA), you must choose a signing algorithm for the CA's private key. Follow the set of instructions that match the signing algorithm that you'd like to use:

RSA: Generate self-signed client and server certificates

Follow these steps if you've chosen to create and sign your own certificates with the RSA signing algorithm to secure communications between data sources and Edge Processors.

  1. Open a command line interface, for example, a shell prompt, or a Terminal or PowerShell window.
  2. Create a new directory that you'd like to store your certificates on.
  3. Change to the new directory you created.
  4. Create the Certificate Authority's certificate and keys.
    1. Generate a private key for the CA.
      openssl genrsa 2048 > ca_key.pem
      
    2. Generate the self-signed CA certificate. Replace the text contained in the -subj flag with the information relevant to you.
      openssl req -new -x509 -nodes -days 825 -sha256 -subj "/C=<Country>/O=<Organization>/CN=<Common-Name>/emailAddress=<Email>" -key ca_key.pem -out ca_cert.pem
      
  5. Create the server certificate and keys.
    1. Generate the private and public keys for your server. Replace the text contained in the -subj flag with the information relevant to you.
      openssl req -newkey rsa:2048 -nodes -days 825 -sha256 -subj "/C=<Country>/O=<Organization>/CN=<Common-Name>/emailAddress=<Email>" -keyout edge_server_key.pem -out edge_server_req.pem
      
    2. Sign the server certificate using your self-signed root CA.
      openssl x509 -req -days 825 -sha256 -set_serial 01 -extfile <(printf "subjectAltName=DNS:<FQDN_Edge_Processor_Instance>") -in edge_server_req.pem -out edge_server_cert.pem -CA ca_cert.pem -CAkey ca_key.pem
      
    3. Verify the server certificates.
      openssl verify -CAfile ca_cert.pem edge_server_cert.pem
      
  6. Create the client certificate and keys.
    1. Generate the private key and certificate request. Replace the text contained in the -subj flag with the information relevant to you.
      openssl req -newkey rsa:2048 -nodes -days 825 -sha256 -subj "/C=<Country>/O=<Organization>/CN=<Common-Name>/emailAddress=<Email>" -keyout data_source_client_key.pem -out data_source_client_req.pem
      
    2. Sign the client certificate using your self-signed root CA.
      openssl x509 -req -days 825 -sha256 -set_serial 01 -in data_source_client_req.pem -out data_source_client_cert.pem -CA ca_cert.pem -CAkey ca_key.pem
      
    3. Verify the client certificates.
      openssl verify -CAfile ca_cert.pem data_source_client_cert.pem
      

ECDSA: Generate self-signed client and server certificates

Follow these steps if you've chosen to create and sign your own certificates with the ECDSA signing algorithm to secure communications between data sources and Edge Processors.

  1. Open a command line interface, for example, a shell prompt, or a Terminal or PowerShell window.
  2. Create a new directory that you'd like to store your certificates on.
  3. Change to the new directory you created.
  4. Create the Certificate Authority's certificate and keys.
    1. Generate an ECDSA private key for the CA.
      openssl ecparam -genkey -name prime256v1 -out ca_key.pem
      
    2. Generate the self-signed CA certificate. Replace the text contained in the -subj flag with the information relevant to you.
      openssl req -x509 -new -SHA384 -nodes -days 825 -subj "/C=<Country>/O=<Organization>/CN=<Common-Name>/emailAddress=<Email>" -key ca_key.pem -out ca_cert.pem
      
  5. Create the server certificate and keys.
    1. Generate the server key.
      openssl ecparam -genkey -name prime256v1 -out edge_server_key.pem
      
    2. Generate the private key and certificate request. Replace the text contained in the -subj flag with the information relevant to you.
      openssl req -new -SHA384 -key edge_server_key.pem -nodes -subj "/C=<Country>/O=<Organization>/CN=<Common-Name>/emailAddress=<Email>" -out edge_server_req.pem
      
    3. Sign the server certificate using your self-signed root CA.
      openssl x509 -req -days 825 -set_serial 01 -extfile <(printf "subjectAltName=DNS:<FQDN_Edge_Processor_Instance>") -in edge_server_req.pem -out edge_server_cert.pem -CA ca_cert.pem -CAkey ca_key.pem
      
    4. Verify the server certificates.
      openssl verify -CAfile ca_cert.pem edge_server_cert.pem
      
  6. Create the client certificate and keys.
    1. Generate the client key.
      openssl ecparam -genkey -name prime256v1 -out data_source_client_key.pem
      
    2. Generate the private key and certificate request. Replace the text contained in the -subj flag with the information relevant to you.
      openssl req -new -SHA384 -key data_source_client_key.pem -nodes -subj "/C=<Country>/O=<Organization>/CN=<Common-Name>/emailAddress=<Email>" -out data_source_client_req.pem
      
    3. Sign the client certificate using your self-signed CA.
      openssl x509 -req -SHA384 -days 825 -set_serial 01 -in data_source_client_req.pem -out data_source_client_cert.pem -CA ca_cert.pem -CAkey ca_key.pem
    4. Verify the client certificates.
      openssl verify -CAfile ca_cert.pem data_source_client_cert.pem
      

Confirm that you have the required certificates

After generating and self-signing the certificates, you have the following files:

File name Description
ca_cert.pem The CA certificate that will be uploaded to both the Edge Processor and the data source
edge_server_cert.pem The server certificates that will be uploaded to an Edge Processor
edge_server_key.pem The private key associated with the server certificate
data_source_client_cert.pem The client certificates that will be uploaded to a data source
data_source_client_key.pem The private key associated with the client certificate

Obtain a certificate from a third party

If you want to use a signed third party certificate from a CA such as Let's Encrypt, Sectigo, or Symantec, you can acquire the certificate directly from those CAs, and upload them to the Edge Processor service.

You will need to ask the third party for the client certificates for the data sources, the server certificates for the Edge Processors, and the CA certificate. If there is an intermediate certificate from the third party, then add it to your server certificate:

cat edge_server_cert.pem intermediate.pem > edge_server_cert.pem

Create a combined certificate file for a Splunk forwarder

When preparing TLS certificates for proving the identity of a universal forwarder or a heavy forwarder, you must combine the certificates into a single PEM file. For more information, see How to prepare TLS certificates for use with the Splunk platform in the Securing Splunk Enterprise manual.

Next steps

Configure your data source and Edge Processor to use the TLS certificates. See the following pages:

Last modified on 27 February, 2024
Get syslog data into an Edge Processor   How the destination for Edge Processor works

This documentation applies to the following versions of Splunk Cloud Platform: 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters