Changing the SSL certificate fleet server uses

Is there a way to specify a new certificate that the fleet server will use for communication over port 8220 other than re-enrolling the agent? This is the certificate that is specified in the --fleet-server-cert and --fleet-server-cert-key arguments when installing the agent to be a fleet server.

If a public CA issued certificate is used for this, being able to change the certificate without reinstalling or re-enrolling is pretty important since those certificates are only valid for one year.

This is version 8.4.1.

2 Likes

I'm also looking for a solution to this.
This should be configurable in a yml file.
It's the first time for us to install a fleet-server and without knowing where the certificates would go I've put them into a temporary folder. But now there seems to be no way to change this easily

1 Like

I tried changing the certificate settings in fleet-server.yml but that didn't seem to have any impact on what certificate was used. What I did do is copy the new certificate and key to the same file that was specified during the agent installation, then restart the agent. The new certificate/key were then used. This feels like a workaround, but at least it solves the problem of changing certificates.

This does seem to be pretty standard, but where is the documentation for the initial fleet setup with a cert, where you mentioned: "specified in the --fleet-server-cert and --fleet-server-cert-key arguments when installing..." Is there an official document on using SSL certs with fleet that you're referencing?
For example, in case of Kibana, the kibana.yml just points to "server.key" and "server-cert-with-chain.crt," basically. Such that, if I replace those yearly, then restart kibana, it would pickup on the new certs. So that does seem to be their standard mode of operation but, you're right that it needs to be addressed by the overall Elastic team, regarding cert renewal procedures. The whole cert area seems to be sadly lacking as regards clear documentation; documentation on how to use the internal, self-signed certs for ELK, Fleet, etc. If parts of my ELK setup are "internal-only," then I'm happy with just using self-signed; since it will never be exposed to external access. Thoughts?

I followed the directions here but decided to use a certificate from a public CA instead of a self signed certificate. I was having big problems getting the agents to recognize the self signed certificate as valid.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.