Can you clarify just a little? Are you wanting to make a new CA and issue a certificate to each forwarder? Or, are you wanting to create a new self-signed certificate for the indexer? Or is it something else entirely?
First you probably want to create your own root CA:
mkdir -p /opt/splunk/etc/certs /opt/splunk/bin/genRootCA.sh -d /opt/splunk/etc/certs
This will create the files:
ca.pem cacert.pem cakey.pem careq.pem
in the given directory. Then you can issue signed server certificates for your indexer:
/opt/splunk/bin/genSignedServerCert.sh -d /opt/splunk/etc/certs -n indexer -c indexer.mydomain.com
and for your forwarder:
/opt/splunk/bin/genSignedServerCert.sh -d /opt/splunk/etc/certs -n forwarder1 -c forwarder1.mydomain.com
Copy over the files forwarder1.pem and cacert.pem to your forwarder.
To configure your forwarder to send the data via SSL add the following to $SPLUNK_HOME/etc/system/local/outputs.conf:
[indexAndForward] index=false [tcpout] defaultGroup = forward-ssl [tcpout:forward-ssl] server = <indexer-ip>:9443 [tcpout-server://<indexer-ip>:9443] sslCertPath=$SPLUNK_HOME/etc/certs/forwarder1.pem sslPassword=password sslRootCAPath=$SPLUNK_HOME/etc/certs/cacert.pem sslVerfyServerCert=false
and add the following on the indexer in the $SPLUNK_HOME/etc/system/local/inputs.conf to listen on a port with SSL enabled:
[SSL] serverCert=$SPLUNK_HOME/etc/certs/indexer.pem password=password rootCA=$SPLUNK_HOME/etc/auth/cacert.pem requireClientCert=false [splunktcp-ssl:9443]
It's also possible to distribute the SSL configuration via deployment services.
Information about setting up SSL forwarding with host authentication and self-signed certificates can be found here : http://answers.splunk.com/questions/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certifi...
@ziegfried -- very interesting. I am interested in how to distribute this via deployment services. I can't seem to find anything that explains how you would push updated certs out to the forwarders.