I don't understand how to use certificates for forwarders. We have 300+ UFs. There's no way they're all going to have their own unique certificate.
How do I generate csr for the UFs' certificates? The certificates will need to be signed by a third party.
If I have a certificate with the SANs of my indexers, could I use that certificate for my UFs too?
Do I need to obtain a wildcard certificate for the UFs?
you can use third party certificates for each server as described at https://docs.splunk.com/Documentation/Splunk/8.2.5/Security/Howtogetthird-partycertificates
or you can use a self signed certificate as described at https://docs.splunk.com/Documentation/Splunk/8.2.5/Security/Howtoself-signcertificates
Could you please elaborate on a few things?
For example, if configuring multiple forwarders, you can use the following example to create the certificate myServerCertificate.pem for your indexer, then create another certificate myForwarderCertificate.pem using the same root CA and install that certificate on your forwarder. Note that an indexer will only accept a properly generated and configured certificate from a forwarder that is signed by the same root CA.
So theoretically yes I can use the same certificate used by the indexers for the forwarders?
From the technical point of view, any valid certificate will do as long as the hostname conforms to the name in the certificate (I'm not sure how about wildcard certificates).
It's the "organizational" aspect of PKI that dictates that you should have separate certificate for each subject (in this case - for each forwarder).