Solved: Stealthwatch: Self Generate Cert vs. CA cert

KelvinT · ‎09-10-2020

Hello,

Is it best/common practice to install a customized certificate for stealtwatch SMC or is it recommended to use the original self generated certificate? There isn't much documentation on this topic. I tried to use a CA cert in the lab and it was a royal pain.

Thanks

Marvin Rhoads · ‎09-11-2020

It's more of a preference and policy issue than it is anything to do with the StealthWatch functionality.

Some organizations take the approach that anything that is secured with a certificate should have a proper one signed by a trusted CA. However others say that since the only people interacting with the SMC are qualified security practitioners they know that accepting the self signed certificate is not a security risk in this case.

I lean towards the former camp but it does mean we have to increase our skills with certificates and CAs. Vendors could certainly do a better job at making it easier. I have at least a dozen very different methods for dealing with certificates just among the Cisco products I use. If I spend half a day wrestling with certificate configuration, that's half a day I'm not dealing with actual security issues.

View solution in original post

Marvin Rhoads · ‎09-11-2020

It's more of a preference and policy issue than it is anything to do with the StealthWatch functionality.

Some organizations take the approach that anything that is secured with a certificate should have a proper one signed by a trusted CA. However others say that since the only people interacting with the SMC are qualified security practitioners they know that accepting the self signed certificate is not a security risk in this case.

I lean towards the former camp but it does mean we have to increase our skills with certificates and CAs. Vendors could certainly do a better job at making it easier. I have at least a dozen very different methods for dealing with certificates just among the Cisco products I use. If I spend half a day wrestling with certificate configuration, that's half a day I'm not dealing with actual security issues.