To safeguard inbound communications to your Leader UI and API (default port 9000), enable Transport Layer Security (TLS) on the Leader.

This topic applies to on-prem and customer-managed Leader deployments only. For Cribl.Cloud deployments, TLS is enabled by default and managed automatically by the Cribl.Cloud platform.

This topic focuses on securing the Leader UI/API listener. For other TLS configurations, see:

• Secure Leader/Worker Nodes Communication: Secure the Leader-Worker Node control-plane channel (default port 4200).
• Import Certificates and Keys: Import and manage TLS certificates for reuse across multiple purposes.

Prerequisites

​

Before you enable TLS for the Leader UI/API, you need a TLS/SSL certificate and private key imported into Cribl Stream. For details on generating or importing certificates, see Import Certificates and Keys.

Step 1: Enable TLS for the Leader UI/API

​

After you have a certificate imported at Settings > Globals > Security > Certificates, enable TLS for the Leader UI/API listener:

1. In the Leader UI, go to Settings > Global > General Settings > API Server Settings > TLS.
2. Toggle Enabled on.
3. In Certificate name, select a certificate you’ve imported (for example, leader-ui-tls).
4. (Optional) Adjust any additional TLS options as needed (for example, minimum/maximum TLS versions).
5. Select Save.

After you save:

• The Leader UI/API now listens on HTTPS.

• Access the UI/API using: https://<hostname>:<port>/

  For example: https://leader.example.com:9000/settings/system

After enabling TLS, you must prepend https:// to all Cribl Stream URLs on the Leader Node.

Step 2 (Optional): Enable TLS for Leader-Worker Node Communications

​

To secure the Leader-Worker Node control-plane channel (port 4200), see Secure Leader/Worker Nodes Communication. That guide walks you through:

• Uploading the same certificate (or a different one) to the relevant Worker Groups.
• Enabling TLS on each Worker Node’s distributed settings.
• Enabling TLS for the Leader’s distributed endpoint so Worker Nodes connect securely.

Advanced: Configure TLS via Config Files

​

Most deployments should configure TLS through the UI. Use this method only when you have a clear config-as-code workflow. Avoid ad-hoc manual edits of local config files on running systems; prefer the UI or a consistent automation pipeline that owns these files.

If you manage Cribl Stream via automation (for example, configuration management, containers, or Cribl as Code), you can configure the Leader UI/API listener in cribl.yml.

Example cribl.yml snippet:

api:
  host: 0.0.0.0
  port: 9000
  disabled: false
  ssl:
    disabled: false
    privKeyPath: /path/to/myKey.pem
    certPath: /path/to/myCert.pem

For details on generating and importing certificates and keys used in this example, see Import Certificates and Keys.

Restore Unencrypted Private Keys

​

In Cribl Stream 4.1 and newer, for enhanced security, Cribl encrypts TLS certificate private keys in configuration files when you add or modify them. Before upgrading to v.4.1.0 (or newer), back up your existing unencrypted key files - see Safeguarding Unencrypted Private Keys for Rollback.

If you need to roll back from Cribl Stream 4.1 or later to an earlier version, follow this procedure to restore the unencrypted private key files that you backed up earlier:

1. Stop Cribl Stream 4.1 (or later) on hosts - the Leader and all Worker Nodes.
2. Untar the older Cribl Stream version (v.4.0.4, for example) onto the Leader and all Worker Nodes.
3. Manually edit each Cribl Stream config file that contains an encrypted private key. Replace each key with its prior unencrypted version.
4. Start up Cribl Stream, commit and deploy, and resume normal operations.