Thanks, Masa. I believe I have done everything you wrote about. Maybe I can document it below as a starting point for others, as well for discussion:
Create a Private Server Key (using Openssl on Indexer Server) [Output in PEM format]
Create a Certificate Signing Request based on the Private Server Key [Output in PEM Format]
Using a web browser, submit the signing request to the Microsoft Certificate Authority
Once request is approved and certificate is signed by the CA, download the signed certificate [Output in DER Format]
Download the CA root certificate [Output in DER Format]
Using OpenSSL, convert the signed certificate from DER to PEM format [Output in PEM Format]
Using OpenSSL, conver the root CA certificate from DER to PEM format [Output in PEM Format]
Copy first the signed server cert to a new file, and append the private server key to the new file [Output in PEM Format]
Configure inputs.conf to point to the combined certificate as well as the root CA certificate (and specify any passwords to the private server key)
Perform steps 1-9 again to create a certificate that will be used on all forwarders.
Unfortunately, even after doing all of this, I still get the Protocol Unknown error.
My next attempt will be to create a local CA on the Indexer using OpenSSL instead of using the Microsoft CA. Any suggestions are welcome!
... View more