Change the certificates

Hello Team,

I have an ELK stack running with hot warm architecture. Everything is fine until I was asked to add new nodes to the stack...
How am I supposed to add new nodes and how can I create new certificates for the new host?

  1. Can I use the same ca cert to generate new cert for the new host?
  2. Can I change all the certificates for the host If i wanted ?
  3. Will changing all the certificates give me an issue to login?
    I faced something like this in my past
failed to authenticate user 'elastic' against https ///_security/_authenticate pretty

Yes, provided you have a copy of the private key for that CA cert.
If you didn't save a copy of that key, then there is no way to issue new certificates using that CA.

If you do have the key, then you can use elasticsearch-certutil to issue new certificates.

  1. Can I change all the certificates for the host If i wanted ?

You can.
Doing so without downtime is tricky.

The steps are:

If using PEM certificates:

  1. Generate a new CA
  2. Generate new certificates
  3. Update elasticsearch.yml for each node to trust the new CA alongside the old CA
  4. Perform a rolling restart
  5. Update elasticsearch.yml on each node to set xpack.security.transport.ssl.certificate (& .key) to use the new certificate for that node.
  6. Perform a rolling restart
  7. Update elasticsearch.yml for each node to stop trusting the old CA (but keep trusting the new CA)
  8. Perform a rolling restart
  1. Will changing all the certificates give me an issue to login?

It's impossible to answer that because we haven't provided any information about the cause of the error.

It is entirely possible to break your cluster when updating certificates, and there are ways to break a cluster that will prevent users from authenticating. So, it's possible that you will get an issue like that if you make a mistake.

Hello Tim,
Greetings,

Thanks for the response. Now would you be able to give me small demo on how to generate new certs from CA.CRT.....
Let say I have server1-domain.com and its respected crt server1-domain.com.crt now I wanna add another server server2-domain.com...

Thanks in advance.