Are your customers going through a VIP or going directly to the HF or Indexer? Not too sure how you're setup, but we're using a VIP in front of our HF tier. Once we applied the changes to EACH HF and the customer used the full FQDN of the VIP then they were able to get a valid cert. The Splunk docs state to use a .PEM file, but we used a .CRT and .KEY file and that worked like a champ. Note: we're on Splunk 6.3.6 so your version/config may differ so check the splunk docs. Below what our server.conf looks like before we restarted splunkd: [sslConfig] caCertFile = cert_name.crt caPath = path_to_cert sslKeysfile = cert_name.key sslKeysfilePassword = Lastly - make sure you update your inputs.conf for splunk_http to leverage SSL - note that we have a clustered server so this is configured on our deployment server and then pushed to our HF tier via serverclass.conf: [http] dedicatedIoThreads = 2 disabled = 0 enableSSL = 1 index = default port = 8090 host = deployment_server_name maxSockets = 0 maxThreads = 0 ... View more

This is the exact same process we followed - just remember to put your cert on each of the servers for the tier you're getting data in from; i.e. Heavy Forwarders or Indexing tier based upon which option you chose and make sure the certs are in the exact same path. FYI we left our sslPassword option empty and once we restarted the splunk process it auto-magically populated the information with a password. ... View more

I'm looking to setup a VIP for this, but when using port 8089 as the VIP Health Check it keeps showing as down. Has anyone configured a VIP for the HEC? ... View more