After renewing certificates, Kibana shows multiple expiry dates (2028 vs 2125)

LimSuyun · September 30, 2025, 3:00am

We have currently set up 3 Elasticsearch clusters with master nodes on 1.1.1.10, 1.1.1.11, and 1.1.1.12.

Since the certificates had expired, we generated new ones. On the master node (1.1.1.10), we created http.p12, transport.p12, and http_ca.crt, and then copied them to the other nodes (1.1.1.11 and 1.1.1.12).

To verify the certificate validity, we ran the following commands, and they all returned the same output:

echo | openssl s_client -connect 1.1.1.10:9200 -servername 1.1.1.10:9200 2>/dev/null | openssl x509 -noout -dates -subject -issuer 
echo | openssl s_client -connect 1.1.1.11:9200 -servername 1.1.1.11:9200 2>/dev/null | openssl x509 -noout -dates -subject -issuer 
echo | openssl s_client -connect 1.1.1.12:9200 -servername 1.1.1.11:9200 2>/dev/null | openssl x509 -noout -dates -subject -issuer

However, when checking in Kibana with GET _ssl/certificates, we see the following output:

[
  {
    "path": "certs/http.p12",
    "format": "PKCS12",
    "alias": "ca",
    "subject_dn": "CN=Elastic Certificate Tool Autogenerated CA",
    "serial_number": "bd....36", 
    "has_private_key": false,
    "expiry": "2028-09-25T09:18:24.000Z",
    "issuer": "CN=Elastic Certificate Tool Autogenerated CA"
  },
  {
    "path": "certs/http.p12",
    "format": "PKCS12",
    "alias": "instance",
    "subject_dn": "CN=Elastic Certificate Tool Autogenerated CA",
    "serial_number": "bd....36", 
    "has_private_key": false,
    "expiry": "2028-09-25T09:18:24.000Z",
    "issuer": "CN=Elastic Certificate Tool Autogenerated CA"
  },
  {
    "path": "certs/http.p12",
    "format": "PKCS12",
    "alias": "instance",
    "subject_dn": "CN=instance",
    "serial_number": "bf....86", 
    "has_private_key": true,
    "expiry": "2125-09-02T09:18:51.000Z",
    "issuer": "CN=Elastic Certificate Tool Autogenerated CA"
  },
  {
    "path": "certs/transport.p12",
    "format": "PKCS12",
    "alias": "ca",
    "subject_dn": "CN=Elastic Certificate Tool Autogenerated CA",
    "serial_number": "e9....e3", 
    "has_private_key": false,
    "expiry": "2028-09-25T08:43:32.000Z",
    "issuer": "CN=Elastic Certificate Tool Autogenerated CA"
  },
  {
    "path": "certs/transport.p12",
    "format": "PKCS12",
    "alias": "instance",
    "subject_dn": "CN=instance",
    "serial_number": "16....6b", 
    "has_private_key": true,
    "expiry": "2125-09-02T08:43:59.000Z",
    "issuer": "CN=Elastic Certificate Tool Autogenerated CA"
  },
  {
    "path": "certs/transport.p12",
    "format": "PKCS12",
    "alias": "instance",
    "subject_dn": "CN=Elastic Certificate Tool Autogenerated CA",
    "serial_number": "e9....e3", 
    "has_private_key": false,
    "expiry": "2028-09-25T08:43:32.000Z",
    "issuer": "CN=Elastic Certificate Tool Autogenerated CA"
  }
]

We would like to know:

Why do the certificates appear differently in Kibana compared to the OpenSSL command results?
Which certificate expiry dates should we follow for the next renewal? (e.g., 2028 vs 2125)

Topic		Replies	Views
Kibana shows old/expired Cluster's certificates even though I have updated them Elasticsearch elastic-stack-security	5	922	March 22, 2023
Elasticsearch and Kibana certificate expired Kibana elastic-stack-security	3	617	February 28, 2023
Kibana dashboards disapper after elastic restart and new cert creation Kibana	4	769	August 12, 2021
Session Expired in kibana after installing certificates Kibana	4	1486	April 5, 2017
After SSL was enabled, Kibana is not working Kibana	11	6950	May 2, 2017

After renewing certificates, Kibana shows multiple expiry dates (2028 vs 2125)

Related topics