We deploy most beattypes to hosts managed by different service providers. The beats ships data to Logstash beats endpoints protected with TLS and firewalls. This setup works very well.
However, changing expired TLS certificates may impose some problems, since either the beats and/or the firewalls cache the TLS certificate, so Logstash validates a certificate to be expired even though it has been replaced by a new certificate.
If the certificate is cached on the beats host a restart of the beats fixes the problem. However, this not an elegant solution. How can I configure a beat to detect if the key/certificate must be reloaded?