Hey splunk team,

I need a bit (okay a lot of help). I'm not sure what I'm doing wrong, but I'm following these guides to create my own self-signed ssl certificate:

http://wiki.splunk.com/Community:Splunk2Splunk_SSL_SelfSignedCert_NewRootCA

http://docs.splunk.com/Documentation/Splunk/7.0.2/Security/Howtoself-signcertificates

However after looking at my logs, my forwarder shows the following:

02-27-2018 00:45:19.808 -0800 INFO  TcpOutputProc - Removing quarantine from idx=192.168.0.43:9997
02-27-2018 00:45:19.808 -0800 WARN  TcpOutputFd - Connect to 192.168.0.43:9997 failed. Connection refused
02-27-2018 00:45:19.808 -0800 ERROR TcpOutputFd - Connection to host=192.168.0.43:9997 failed
02-27-2018 00:45:19.809 -0800 WARN  TcpOutputFd - Connect to 192.168.0.43:9997 failed. Connection refused
02-27-2018 00:45:19.809 -0800 ERROR TcpOutputFd - Connection to host=192.168.0.43:9997 failed
02-27-2018 00:45:19.809 -0800 WARN  TcpOutputProc - Applying quarantine to ip=192.168.0.43 port=9997 _numberOfFailures=2

At this point I'm not sure what I'm doing wrong. If it helps, my forwarders outputs.conf looks like this:

[tcpout]
defaultGroup = splunkssl

[tcpout:splunkssl]
server = 192.168.0.43:9997
compressed = true
sslRootCAPath = /opt/splunkforwarder/etc/certs/myCACertificate.pem
sslCertPath = /opt/splunkforwarder/etc/certs/myServerCertificate.pem
sslPassword = $xxxxxxxxxxxxx=
sslVerifyServerCert = true

My indexer's input.conf looks like this:

[default]
host = splunk

[SSL]
rootCA = /opt/splunk/etc/certs/myCACertificate.pem
serverCert = /opt/splunk/etc/certs/myServerCertificate.pem
password = $xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
#password = $xxxxxxxxxxxxxx
requireClientCert = false

[splunktcp-ssl:9997]
compressed = true
disabled = 0

And i've added this line to my indexer's server.conf. This was based on the default configuration for ssl certificates on the indxer, plus the guide to using self signed certs:

sslRootCAPatch = /opt/splunk/etc/system/local/certs/myCACertificate.pem

Any help or advice is appreciated.