On This Page

Home / Stream/ Secure Your Deployment/ Secure Leader and Communication/Secure Cribl.Cloud with TLS and mTLS

Securing Cribl.Cloud with TLS and Mutual TLS

Secure data transmission is essential for protecting sensitive information as it travels across networks. Cribl.Cloud offers two primary methods for securing data in transit:

  • Transport Layer Security (TLS) - Encrypts data during transmission and authenticates the server.
  • Mutual TLS (mTLS) - Adds client authentication on top of standard TLS.

For encrypting data in transit and simple server verification, Standard TLS is sufficient. Opt for mTLS when security policies mandate additional client verification.

This guide explains both security methods and walks you through configuration options in Cribl.Cloud.

TLS in Cribl.Cloud

In Cribl.Cloud, you can enable TLS encryption and use Cribl-provided certificates for certain Sources to ensure that your data is protected in transit.

Cribl-provided certificates offer the following benefits:

  • Reliable, ready-to-use security: When you enable TLS and enter the correct environment variables for Cribl-provided certificates in the Source configuration, data in transit is always encrypted.
  • Zero maintenance: Cribl-provided certificates are automatically managed and renewed.
  • Simplified deployment: No need to generate or install custom certificates.

You only need to use your own private key or configure mTLS if specifically required by your security team or company policies. If you need custom certificates, see Certificate-Based Authentication.

While TLS encryption ends at individual Nodes upon data arrival in Cribl.Cloud, data at rest is protected by other robust security measures within the platform.

Cribl-provided certificates are unique to each Workspace and Organization.

Cribl.Cloud supports Cribl-provided certificates for Sources including Cribl TCP, Cribl HTTP, Syslog, HTTP, and Splunk TCP. To view a complete list of the supported Sources, along with their corresponding ports and ingress addresses:

  1. Log in to your Cribl.Cloud portal.
  2. On the top bar, select Products, and then select Workspace under Cribl.
  3. In the sidebar, select Data Sources.

Enable TLS on Sources Using Cribl-Provided Certificates

To enable TLS using Cribl-provided certificates for a supported Source, configure the following TLS Settings for the Source:

  • Enabled: Toggle on.

  • Private key path: Enter $CRIBL_CLOUD_KEY. This environment variable represents the path to the default private key in Cribl.Cloud.

  • Certificate path: Enter $CRIBL_CLOUD_CRT. This environment variable represents the path to the default certificate in Cribl.Cloud.

  • Minimum TLS version: Select TLSv1.2.

When you finish configuring the Source, select Save, then Commit and Deploy.

For details on how to securely forward syslog data to your Cribl.Cloud instance, see Syslog TLS to Cribl.Cloud (Palo Alto Example).This topic demonstrates a vendor-specific configuration (Palo Alto) for secure data ingestion.

Enable mTLS Authentication on Cribl.Cloud

When standard TLS isn’t sufficient and you need client authentication, you can enable mTLS.

Prerequisites for mTLS

mTLS requires:

  • A CA certificate chain that can validate the client certificates.
  • Client certificates issued to each client that will connect to Cribl.Cloud.
  • Client systems configured to present their certificates during connection.

In Cribl.Cloud, you configure mTLS authentication separately for each Source.

This requires a CA certificate chain that can validate the client certificate used for authentication. For secure communication using mTLS authentication in Cribl.Cloud, you need to provide the root CA certificate of your client certificate. If you don’t have the root CA certificate, you can also provide a CA certificate chain that includes all intermediate certificates leading back to a trusted root certificate.

Configure mTLS on a Source

You can add your CA certificate by creating a new certificate entry in Cribl.Cloud.

  1. Prepare the CA certificate chain PEM file.

  2. Go to the Worker Node: Settings > Global > Security > Certificates and select Add Certificate.

  3. Populate the Certificate field with a valid PEM-formatted content (from your trusted CA certificate chain):

    -----BEGIN CERTIFICATE-----
CERTIFICATE CONTENT
-----END CERTIFICATE-----

  4. Populate the Private key with the key in PEM format:

    -----BEGIN RSA PRIVATE KEY-----
HIDDEN PRIVATE KEY
-----END RSA PRIVATE KEY-----

  5. In the CA certificate field, enter your PEM-formatted certificate and save. This will generate the CA certificate path.

While the Add Certificate form requires you to provide a Private Key and Certificate, these fields are not necessary for client certificate validation. This is a design limitation that requires you to provide some properly formatted values to proceed. You can use a self-signed certificate for this purpose.

Apply the CA Certificate to Your Source:

  1. Edit the certificate again to view the certificate path and copy it.
  2. Navigate to the Source where you want to enable mTLS and open the configuration modal. In the TLS Settings tab:
    1. Toggle Enable TLS to Yes.
    2. Set Authenticate Client to Yes.
    3. Paste the path in the CA certificate path field.
    4. Select Save, then Commit & Deploy.