Changing Certificate Authority on an Elasticsearch 8 cluster-How to override the certificates created at install time

Elastic Stack Elasticsearch
1

Hi There,
I have been experimenting and testing Elasticsearch 8 to assess migration and I am stuck at adding a new certificate authority CA to a newly setup cluster.

I have setup a single node and a multi-node clusters for testing, security is enabled by default and certificates are generated at install time. Everything works fine and I have been testing our code.

When I came to using our existing certificate authority for the cluster so I can replace the default certificates, I hit a glitch.

I tried first to add our CA to the truststore created at install time "transport.p12" using:
"keytool -importcert -trustcacerts -noprompt -keystore /etc/Elasticsearch/certs/transport.p12 -alias new-ca -file org.crt"

I am being asked for password for the keystore which I do not have, I tried leaving password empty but I get wrong password. The only password that Elasticsearch 8 gives at install is that for the account elastic, I tried that too and it did not work either.

Any idea what are the settings for the for the default certificates created at install time for Elasticsearch 8, can they be overridden, or replaced with our own CA. I must be missing something.

Thank you.

2

You don’t have to extend or alter the existing configuration if you don’t want to. You can setup your cluster as you would normally do with your own CA and certificates

If you want to extend the existing configuration, you are very welcome to do so too. But please keep in mind of the implications and what that means for which certificates will be trusted for the transport layer, for instance!

The keystore passwords are stored as Elasticsearch secure settings, you can list them with the elasticsearch-keystore tool. For example you can get the password for the transport.p12 by running

bin/elasticsearch-keystore show xpack.security.transport.ssl.keystore.password

Thanks for the feedback, we’ll make sure to make this piece of information more prominent in our docs

3

Note, we do not recommend using an existing CA for TLS on the transport port.
Thee certificates on that port are used to control cluster membership, and switching to an existing CA is likely to reduce your security, not improve it.