This from the inputs.conf seems to indicate by default you do not need to have a SSL certificate on the forwarder at all
requireClientCert = <bool>
* Determines whether a client must present an SSL certificate to authenticate.
* Full path to the root CA (Certificate Authority) certificate store.
* The <path> must refer to a PEM format file containing one or more root CA
certificates concatenated together.
* Defaults to false.
Please check this, incase if you have read it already -
IMPORTANT NOTE ABOUT "requireClientCert" :
As of Splunk 4.2.4, setting "requireClientCert = true" in the indexer's inputs.conf will cause forwarding to fail! A bug (SPL-37637) is currently open to address this issue. In the meantime, keep requireClientCert set to "false".
We have set "requireClientCert = true". This requires the following conditions to be met :
a) "rootCA" must point to a file containing the CA's public key. In our example, it's the myCACertificate.pem file we generated in step 1.
b) The forwarder's server certificate defined by "sslCertPath" in outputs.conf (see step 4) is signed by that CA.
c) The forwarder has the password to read his own certificate ("sslPassword" in outputs.conf, as defined in step 4). This password is "server_privkey_password" in our example.