First you probably want to create your own root CA:
mkdir -p /opt/splunk/etc/certs
/opt/splunk/bin/genRootCA.sh -d /opt/splunk/etc/certs
This will create the files:
ca.pem
cacert.pem
cakey.pem
careq.pem
in the given directory. Then you can issue signed server certificates for your indexer:
/opt/splunk/bin/genSignedServerCert.sh -d /opt/splunk/etc/certs -n indexer -c indexer.mydomain.com
and for your forwarder:
/opt/splunk/bin/genSignedServerCert.sh -d /opt/splunk/etc/certs -n forwarder1 -c forwarder1.mydomain.com
Copy over the files forwarder1.pem and cacert.pem to your forwarder.
To configure your forwarder to send the data via SSL add the following to $SPLUNK_HOME/etc/system/local/outputs.conf:
[indexAndForward]
index=false
[tcpout]
defaultGroup = forward-ssl
[tcpout:forward-ssl]
server = <indexer-ip>:9443
[tcpout-server://<indexer-ip>:9443]
sslCertPath=$SPLUNK_HOME/etc/certs/forwarder1.pem
sslPassword=password
sslRootCAPath=$SPLUNK_HOME/etc/certs/cacert.pem
sslVerfyServerCert=false
and add the following on the indexer in the $SPLUNK_HOME/etc/system/local/inputs.conf to listen on a port with SSL enabled:
[SSL]
serverCert=$SPLUNK_HOME/etc/certs/indexer.pem
password=password
rootCA=$SPLUNK_HOME/etc/auth/cacert.pem
requireClientCert=false
[splunktcp-ssl:9443]
It's also possible to distribute the SSL configuration via deployment services.
@ziegfried -- very interesting. I am interested in how to distribute this via deployment services. I can't seem to find anything that explains how you would push updated certs out to the forwarders.
Information about setting up SSL forwarding with host authentication and self-signed certificates can be found here : http://answers.splunk.com/questions/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certifi...
Can you clarify just a little? Are you wanting to make a new CA and issue a certificate to each forwarder? Or, are you wanting to create a new self-signed certificate for the indexer? Or is it something else entirely?