web.conf if for Splunk Web. In order to use this, your private key must be decrypted. Which means, you are able to verify the certificate using ssl and it doesn't prompt you for a password.

But I doubt you need to access your indexer in Splunk Web. When I changed our certificates system-wide these were my notes for Indexers:

---To prevent server from trying to reach Splunk Base for updates--

Etc/system/local/server.conf 

[applicationsManagement] 

allowInternetAccess = false 

 ---without this, mongod will fail to start. 

[kvstore]

serverCert = $SPLUNK_HOME/etc/auth/<servername>/<servername>.pem 

sslPassword = <password_of_serverCert> 

[sslConfig] 

serverCert = $SPLUNK_HOME/etc/auth/<servername>/<servername>_.pem 

sslPassword = <password_of_serverCert> 

sslRootCAPath = $SPLUNK_HOME/etc/auth/rootca/Root_CA.pem

Etc/system/local/inputs.conf 

[SSL] 

serverCert = $SPLUNK_HOME/etc/auth/receiver/receiver_cert.pem 

sslPassword = <password >

sslVersions = -all, tls1.2

Now, if you must access Splunk Web into the indexer:

Etc/system/local/web.conf 

Note: Splunk Web will not work with encrypted private key. Ensure you are using  decrypted private key and certificate for this configuration.  

 [settings] 

privKeyPath = $SPLUNK_HOME/etc/auth/<servername>/<webServerCert>_webServerCert_priv.key 

serverCert = $SPLUNK_HOME/etc/auth/<servername>/< webServerCert>_webServerCert_cert.pem 

To export private key decrypted for us in Splunk Web web.conf, you can use the following:

1. Export private key, you will need the pass phrase:
   • openssl rsa -in server_priv.key -out web_server_priv.key
   • you can copy this contents and replace the key on your original servercert.pem and save it as whatever name you like: web_servercert.pem
2. Test your certificate to ensure you are not prompted for passphrase:  openssl rsa -in web_servercert.pem –text (Remember, you will only use this for web.conf, if you try to use this in server.conf - mongod will not start due to no passphrase)