I am trying to just set up a basic encryption between the Universal Forwarder and indexer using the certs that come with the install. I am trying to follow the directions on this Splunk doc but am running into issues:
https://docs.splunk.com/Documentation/Splunk/8.0.3/Security/ConfigureSplunkforwardingtousethedefault...

On the inputs.conf for the indexer found under C:\Program Files\Splunk\etc\system\local on my Splunk server I added this stanza:

[SSL]
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
requireClientCert = false

Then on the outputs.config for the UF found under C:\Program Files\SplunkUniversalForwarder\etc\system\local on one of my servers I have this for the config:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = [SplunkServerNameHere]:9997
clientCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
sslVerifyServerCert = false

[sslConfig]
caCertFile = cacert.pem
caPath = $SPLUNK_HOME\etc\auth

[tcpout-server://[SplunkServerNameHere]:9997]

I then reset both the Splunk server and UF and found logs were still getting ingested into the indexer with no issues except from the UF that I was setting up to use an encrypted connection. It worked with no issue prior to configuration change but its traffic was getting rejected after the UF was reset. I looked at the splunkd.log file on the Splunk server and found this error:

ERROR TcpInputProc - Message rejected. Received unexpected message of size=369295616 bytes from src=[ClientIPHere]:60167 in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.