This maybe less of a question and more of a comment. The "Configure Splunk forwarding to use signed certificates" documentation states you should configure:
sslPassword = The password for the CAcert
Obviously your not going to put the CA's secret password on a forwarder. I assume the intention is to say you would put the forwarder's certificate password here as entered by the CA when creating the cert. I believe this is poor verbiage.
In a related note - should you set a challenge password for this cert?
Every Splunk documentation page has a comment section at the bottom where you can give your feedback/questions/concerns about the page's content. That comment goes to the Splunk Documentation management team directly, so I would suggest you post your feedback there (as well).