I currently have SSL working between Winlogbeat 6.1.1 on a Windows 10 x64 computer and logstash 6.1.1 running on CentOS 7.
The way I set it up was to request a new certificate from the local computer certificate store and then export that to a pfx. I then used openssl to split the certificates out and copy them to the winlogbeat directory. For additional security I changed the permissions on the private key so that only SYSTEM can access it.
Both certificates are signed by our enterprise CA.
My question to those who have this setup - how do you handle renewal?
Renewing 1 or 2 manually would not be a big deal but we are discussing monitoring about 300-400 workstations. Obviously computer certificates can be easily auto-renewed via group policy. The problem is exporting them and changing permissions. In theory, a logon script could be written to check the certificate and when it is renewed, export it and run the appropriate openssl commands to split it out. This, however, would require openssl to be on every windows workstation and I have never had good luck running openssl under windows.
I just wondered how other people were handling this issue to see if there was a better way. Any tips would be appreciated.