Unable to use multiple certificates and passphrases for Splunk TCP Source


In a Cribl Distributed Deployment, with one Worker Group, and 2 Worker Nodes in this Worker Group, with a Source Splunk TCP enabled, and TLS enabled from Leader Node, It is not possible to use a unique certificate and passphrase for each Worker Node.
It is possible, to have each Worker Node in a different Worker Group. But that means all the settings must be the same (Sources, Destination, Routes, Pipelines). That means in the end that the use of Leader Node is useless.
Is that correct?
Can we improve that? Or make an enhancement?

Thank you!
Best regards,

You can specify the location of the keypair on the filesystem. Then you only need to make sure every worker has their unique key in the right location. It just means you’re not using the Leader to manage this part. The pic below is from a source config TLS screen:

Hi Jon,

Thanks for your reply.
yes, I figured out I can do it like that with the private key, certificate, and rootCA. That can be written on Leader Node.
But it is not clear to me how I reference the passphrase.
I cannot follow this: “Then you only need to make sure every worker has their unique key in the right location”.
What do you mean in the right location? How do I reference the passphrase (which is unique for each private key)? I could not find a way to do it via a file.

Your reply would be even more appreciated :slight_smile:

There isn’t a way to have different passphrases for the keys. They’d all use the same, as supplied in the GUI.

What I mean by “Then you only need to make sure every worker has their unique key in the right location”

You’re going to list in the config screen the absolute PATH to the cert files. The cert files will need to be on every worker in this location. And use the same passphrase.

Hello Jon.
Thanks for your reply.
Then you only confirm my initial post.
Now comes to my question / request of enhancement: Can this be enhanced /taken into consideration for enhancement so that we can use different passphrases for different certificates?
My customer is not willing to generate 2 different certificates with the same passphrase as this would break their security rules.
Thanks you in advance for your reply.

Interesting use case. Very few users have different certs per worker. And I’ve never come across any install requiring different passwords per node in a cluster (Cribl or otherwise). I’ll gen up an enhancement request, but any extra color you can add would be good to add to the ticket.