The certificate expiration will only affect universal forwarders if you have enabled encrypted connections between the forwarders and the indexers
For more information and specifically on the forwarder question, see point 4 in the answer here:
How do i confirm that my forwarder not connecting to indexers using encrypted?
07-14-2016 08:53:08.462 -0400 INFO TcpOutputProc - Connected to idx=xx.xx.xxx.xx:9997 using ACK.
Thats the logs shows
The ACK has to do with the acknowledgement setting of forwarding.
If your indexer is set up with splunktcp-ssl inputs then it should be receiving SSL (encrypted) over that port. If there are ports in the inputs for TCP (without ssl) then see what is connecting to that port in the logs to find non SSL connections.
Hello, is it possible that Splunkforwarder still works if the cacert.pem on the indexer is expired and from different certificate authority? We have sslVerifyServerCert = false set on the fwd.