Currently i'm using 6.3.1V in all the HF, And 6.2.0 in Indexer, SH, DS.
In all the instances "sslVerifyServerCert = false".
Still do I need to update my SSL certificate?

As long as you are not using SSL in your outputs.conf configuration, you should be good to go for communication from forwarders to indexers. As mentioned above, since sslVerifyServerCert=false by default, as long as you haven't changed it on your nodes, you should also be good to go for the rest of your Splunk infrastructure as well.

Thanks mcluver.

And im thinking to upgrade a splunk version and ssl certificate on indexers from 6.2.0 to 6.3.1, Is there any way

1) without any data loss can we upgrade the splunk version on indexers?
2) If we update this SSL certificate will it lead to any data loss?

I forgot whether I enabled SSL on the UF installed on my Windows Servers or not. How do I verify it?

yep

by default, the inter splunk communication should be encrypted and compressed ... but no validation of the cert.

If sslVerifyServerCert = true, there is validation on the cert. Come July 22nd... as the CA cert will have expired.. the verification will fail

there is also this,
http://docs.splunk.com/Documentation/Splunk/latest/Security/AboutsecuringyourSplunkconfigurationwith...

for Inter-Splunk communication , the column "Certificate Authentication" also says not enabled ..

There are a number of Inter-Splunk communication processes that will fail in following setup after July 21 :
*) server .conf has sslVerifyServerCert = true ( the rest of SSLconfig parameters at default settings)
AND
*) certs not renewed via supplied script

examples:
Deployment client > Deployment Server
License Slave> License Master...

Search Heads > Search Peers
.
sample errors

07-22-2016 15:19:28.948 +0100 INFO  DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
07-22-2016 15:20:51.715 +0100 ERROR SSLCommon - Certificate doesn't verify, err=10
07-22-2016 15:20:51.715 +0100 INFO  NetUtils - SSL Connection could not be made - server authentication error
07-22-2016 15:20:51.715 +0100 WARN  HTTPClient - SSL_ServerAuthError connecting to=nnn.nn.nnn 143:8089
07-22-2016 15:20:51.715 +0100 WARN  HTTPClient - Connect to=nnn.nnn.nnn:8089 timed out; exceeded 30sec
07-22-2016 15:20:51.715 +0100 ERROR LMTracker - failed to send rows, reason='Unable to connect to license master: https://nn.nn.nnn.nnn:8089 Connect to=https://nnn.nnn.nn.nnn:8089 timed out; exceeded 30sec’

So in pre 6.3 envs.. to see if deployment could be impacted come july 22..... as well as checking if forwarders/indexers are configured to use the default SSL certs
, need to check server.conf on all servers for , sslVerifyServerCert = true

e.g

splunk btool server list --debug
splunk btool inputs list --debug
splunk btool outputs list --debug

I second this question. Further, I am curious if it's a problem for Forwarders on a version prior to 6.3 where you are not using SSL communication between the Forwarders and Indexers. Or in other words, does the root cert expiring cause splunkd to not function even while not using SSL features?

This is what my exact doubt..!!

Can anyone reply for this???

How about server certificate(server.pem) ?
Only required action is replacing default root certificate ?
It seems that the script includes the option to replace the server certificate(s-renewcertssh -serverCert) , but what you mentioned above is only root certificate.

Thanks advance.

Yes, I too have the same query.

script execution says :
At least one of -defaultCA, -liveCA, or -serverCert is required;
order should be -defaultCA, -liveCA, -serverCert.

after providing the "-serverCert" as argument ., no change in the server cert it still shows the older expiry date before I ran the script.

Any idea?

Regarding option #2 above, I'm a big fan of http://conf.splunk.com/session/2015/conf2015_DWaddle_DefensePointSecurity_deploying_SplunkSSLBestPra... / http://conf.splunk.com/session/2015/recordings/2015-splunk-115.mp4 which goes through the whole process of removing self-signed certs from end to end.

We've struggled to get end to end ssl working. So many things broke that getting the perfect order for every single instance across the organisation timed exactly right was impossible. As such we had to use the default certificates that came with the product.

We're now in a worse position were we are going to lose a significant volume of data as forwarding hosts will be lost after this date as we don't have contact information for the teams that own those devices (they had project defined requirements to install a forwarder at the time).

There are going to be some very pissed off people because of this.