So I have a Splunk environment signed by a 3rd party CA. However, the forwarders are using self-signed certificates because it's in a testing environment. WHen I try to send data from forwarder to indexer, I'm getting errors saying it can't verify certificate. I'm guessing it's because it is signed by a different root CA and the 3rd party won't accept it.
Is there any way to add the self signed root CA to a trust store or anything? Or do they have to be all signed by the same 3rd party CA?
Splunk doesn't use a trust store (java style), but you can instruct Splunk where to find a rootCA from a 3rd party.
outputs.conf:
sslRootCAPath =