Obtain TLS certificates for data sources and Edge Processors
You can use mutually authenticated TLS (mTLS) to secure communications between data sources and Edge Processors. When mTLS is active, the data source and the Edge Processor must prove their identities by presenting valid TLS certificates before they can connect and communicate with each other. To configure mTLS, you must provide client certificates that validate the identity of the data source and server certificates that validate the identity of the Edge Processor.
The instructions on this page describe how to obtain the necessary TLS certificates. If you already have certificates that you'd like to use, then proceed to the following pages for information on how to configure your data source and Edge Processor to use the certificates:
- Get data from a forwarder into an Edge Processor
- Get data into an Edge Processor using HTTP Event Collector
- Get syslog data into an Edge Processor
The certificates that you use to configure mTLS between data sources and Edge Processors are different from the certificates that you use to configure TLS or mTLS between Edge Processors and Splunk indexers. If you are looking for instructions on configuring TLS or mTLS between Edge Processors and indexers, see the "Obtaining TLS certificates" section in Send data from Edge Processors to non-connected Splunk platform deployments using S2S or Send data from Edge Processors to non-connected Splunk platform deployments using HEC.
Configuring mTLS between data sources and Edge Processors
Configuring mTLS involves the following high-level steps:
- Get or generate the following certificates:
- A client certificate, private key, and CA certificate that the data source can use to prove its identity.
- A server certificate, private key, and CA certificate that the Edge Processor can use to prove its identity.
Typically, each certificate is stored in a separate Privacy Enhanced Mail (PEM) file. However, if the data source is a Splunk forwarder, then you must concatenate the client certificate, private key, and CA certificate in the listed order into the same PEM file. For more information, see How to prepare TLS certificates for use with the Splunk platform in the Securing Splunk Enterprise manual.
- Configure your data source to use the client certificates.
- Upload the server certificates to your Edge Processor.
The Edge Processor uses the same PEM files to prove its identity to all data sources where mTLS is used. For example, if you turn on mTLS for both Splunk forwarders and HTTP Event Collector (HEC) data sources, then the Edge Processor uses the same server-side PEM files when receiving data from both types of data sources.
The steps that you must follow to obtain TLS certificates depend on the type of certificates you intend to use. You have two options for obtaining these certificates:
- Create and sign the certificates yourself. This is the fastest and lowest cost method for getting certificates, but it is less secure than getting signed certificates from a third party. For instructions, see Generate and self-sign client and server certificates to secure communications on this page.
- Get signed certificates from a third party. This option is the most secure method for getting certificates, but it involves a third party and potentially a cost to obtain the certificates. For instructions, see Obtain a certificate from a third-party on this page.
If you're working with a Splunk forwarder that has the sslVerifyServerCert
property in the outputs.conf file turned on, then you must use a certificate from a third party.
Generate and self-sign client and server certificates to secure communications
Follow these steps if you've chosen to create and sign your own certificates to secure communications between data sources and Edge Processors.
Before creating a certificate authority (CA), you must choose a signing algorithm for the CA's private key. Follow the set of instructions that match the signing algorithm that you'd like to use:
- RSA: Generate self-signed client and server certificates
- ECDSA: Generate self-signed client and server certificates
RSA: Generate self-signed client and server certificates
Follow these steps if you've chosen to create and sign your own certificates with the RSA signing algorithm to secure communications between data sources and Edge Processors.
- Open a command line interface, for example, a shell prompt, or a Terminal or PowerShell window.
- Create a new directory that you'd like to store your certificates on.
- Change to the new directory you created.
- Create the Certificate Authority's certificate and keys.
- Generate a private key for the CA.
openssl genrsa 2048 > ca_key.pem
- Generate the self-signed CA certificate. Replace the text contained in the
-subj
flag with the information relevant to you.openssl req -new -x509 -nodes -days 825 -sha256 -subj "/C=<Country>/O=<Organization>/CN=<Common-Name>/emailAddress=<Email>" -key ca_key.pem -out ca_cert.pem
- Generate a private key for the CA.
- Create the server certificate and keys.
- Generate the private and public keys for your server. Replace the text contained in the
-subj
flag with the information relevant to you.openssl req -newkey rsa:2048 -nodes -days 825 -sha256 -subj "/C=<Country>/O=<Organization>/CN=<Common-Name>/emailAddress=<Email>" -keyout edge_server_key.pem -out edge_server_req.pem
- Sign the server certificate using your self-signed root CA.
openssl x509 -req -days 825 -sha256 -set_serial 01 -extfile <(printf "subjectAltName=DNS:<FQDN_Edge_Processor_Instance>") -in edge_server_req.pem -out edge_server_cert.pem -CA ca_cert.pem -CAkey ca_key.pem
- Verify the server certificates.
openssl verify -CAfile ca_cert.pem edge_server_cert.pem
- Generate the private and public keys for your server. Replace the text contained in the
- Create the client certificate and keys.
- Generate the private key and certificate request. Replace the text contained in the
-subj
flag with the information relevant to you.openssl req -newkey rsa:2048 -nodes -days 825 -sha256 -subj "/C=<Country>/O=<Organization>/CN=<Common-Name>/emailAddress=<Email>" -keyout data_source_client_key.pem -out data_source_client_req.pem
- Sign the client certificate using your self-signed root CA.
openssl x509 -req -days 825 -sha256 -set_serial 01 -in data_source_client_req.pem -out data_source_client_cert.pem -CA ca_cert.pem -CAkey ca_key.pem
- Verify the client certificates.
openssl verify -CAfile ca_cert.pem data_source_client_cert.pem
- Generate the private key and certificate request. Replace the text contained in the
ECDSA: Generate self-signed client and server certificates
Follow these steps if you've chosen to create and sign your own certificates with the ECDSA signing algorithm to secure communications between data sources and Edge Processors.
- Open a command line interface, for example, a shell prompt, or a Terminal or PowerShell window.
- Create a new directory that you'd like to store your certificates on.
- Change to the new directory you created.
- Create the Certificate Authority's certificate and keys.
- Generate an ECDSA private key for the CA.
openssl ecparam -genkey -name prime256v1 -out ca_key.pem
- Generate the self-signed CA certificate. Replace the text contained in the
-subj
flag with the information relevant to you.openssl req -x509 -new -SHA384 -nodes -days 825 -subj "/C=<Country>/O=<Organization>/CN=<Common-Name>/emailAddress=<Email>" -key ca_key.pem -out ca_cert.pem
- Generate an ECDSA private key for the CA.
- Create the server certificate and keys.
- Generate the server key.
openssl ecparam -genkey -name prime256v1 -out edge_server_key.pem
- Generate the private key and certificate request. Replace the text contained in the
-subj
flag with the information relevant to you.openssl req -new -SHA384 -key edge_server_key.pem -nodes -subj "/C=<Country>/O=<Organization>/CN=<Common-Name>/emailAddress=<Email>" -out edge_server_req.pem
- Sign the server certificate using your self-signed root CA.
openssl x509 -req -days 825 -set_serial 01 -extfile <(printf "subjectAltName=DNS:<FQDN_Edge_Processor_Instance>") -in edge_server_req.pem -out edge_server_cert.pem -CA ca_cert.pem -CAkey ca_key.pem
- Verify the server certificates.
openssl verify -CAfile ca_cert.pem edge_server_cert.pem
- Generate the server key.
- Create the client certificate and keys.
- Generate the client key.
openssl ecparam -genkey -name prime256v1 -out data_source_client_key.pem
- Generate the private key and certificate request. Replace the text contained in the
-subj
flag with the information relevant to you.openssl req -new -SHA384 -key data_source_client_key.pem -nodes -subj "/C=<Country>/O=<Organization>/CN=<Common-Name>/emailAddress=<Email>" -out data_source_client_req.pem
- Sign the client certificate using your self-signed CA.
openssl x509 -req -SHA384 -days 825 -set_serial 01 -in data_source_client_req.pem -out data_source_client_cert.pem -CA ca_cert.pem -CAkey ca_key.pem
- Verify the client certificates.
openssl verify -CAfile ca_cert.pem data_source_client_cert.pem
- Generate the client key.
Confirm that you have the required certificates
After generating and self-signing the certificates, you have the following files:
File name | Description |
---|---|
ca_cert.pem | The CA certificate that will be uploaded to both the Edge Processor and the data source |
edge_server_cert.pem | The server certificates that will be uploaded to an Edge Processor |
edge_server_key.pem | The private key associated with the server certificate |
data_source_client_cert.pem | The client certificates that will be uploaded to a data source |
data_source_client_key.pem | The private key associated with the client certificate |
Obtain a certificate from a third party
If you want to use a signed third party certificate from a CA such as Let's Encrypt, Sectigo, or Symantec, you can acquire the certificate directly from those CAs, and upload them to the Edge Processor service.
You will need to ask the third party for the client certificates for the data sources, the server certificates for the Edge Processors, and the CA certificate. If there is an intermediate certificate from the third party, then add it to your server certificate:
cat edge_server_cert.pem intermediate.pem > edge_server_cert.pem
Create a combined certificate file for a Splunk forwarder
When preparing TLS certificates for proving the identity of a universal forwarder or a heavy forwarder, you must combine the certificates into a single PEM file. For more information, see How to prepare TLS certificates for use with the Splunk platform in the Securing Splunk Enterprise manual.
Next steps
Configure your data source and Edge Processor to use the TLS certificates. See the following pages:
Get syslog data into an Edge Processor | How the destination for Edge Processor works |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)
Feedback submitted, thanks!