I'm running Splunk Universal Forwarder v8.0.3.0. We are running it on Windows 2012 R2.  What is the process to replace the self-signed certificate Splunk creates and uses by default? We want to use a certificate provided by our internal Enterprise Certificate Authority (CA). We do not want to use any self-signed certificates. We scan our environment, and any self-signed certificates are listed as vulnerabilities within our network.

There are several blogs mentioning create web.config or updating the server.conf file; placing certificates in a non-existing ${SplunkHome}\etc\auth\mycerts directory. Have to assume mycerts has to be created. Here is my request: Given that I can create a certificate-pair (private, public, w/keys) in pem format from our CA; I need a step-by-step, in-order, process on how to make it all work: where to place the certificate(s), what precise file to update, what information is needed in that file (relative to where we place the certificates). We do not control any of the Deployment Server or Heavy Forwarders. I only work with the Universal Forwarder. Our data is sent to those other servers. If there is any dependency/change needed on these servers, when we change our certificate, what are they? We are currently connected to those servers.

Again, please no tidbit pieces of information, but the ordered list of instructions to make this work. If there is a link with this detail, post it, cause I have not found anything bulletproof. I saw one item, then a person mentioning a problem trying to implement that item. When I read it, it had many assumptions you had to make in it, like creating the mycerts sub-directory. There was others. Not a good process. 

Thanks,