Do I have to restart Elasticsearch cluster if I replace CA certificate?

Hi,
I have elasticsearch 8.6
My certificate is going to expire so I followed the process where restart of cluster is required

however I have tested just simple file replacement of CA cert and it seems to work even without restarting of the cluster, however I am affraid id this might be a misleading information

the process:

  1. execute GET _ssl/certificates
[
  {
    "path": "elastic-certificates.p12",
    "format": "PKCS12",
    "alias": "ca",
    "subject_dn": "CN=Elastic Certificate Tool Autogenerated CA",
    "serial_number": "aaaa",
    "has_private_key": false,
    "expiry": "2023-05-05T04:38:48.000Z", <---- expiry of current cert
    "issuer": "CN=Elastic Certificate Tool Autogenerated CA"
  },
  1. just copy new cert to /etc/elasticsearch/elastic-certificates.p12 no restart

  2. execute GET _ssl/certificates
    I receive information that it has new cert

[
  {
    "path": "elastic-certificates.p12",
    "format": "PKCS12",
    "alias": "ca",
    "subject_dn": "CN=Elastic Certificate Tool Autogenerated CA",
    "serial_number": "xxx",
    "has_private_key": false,
    "expiry": "2026-04-10T11:19:35.000Z",          <---- see  here new expiry
    "issuer": "CN=Elastic Certificate Tool Autogenerated CA"
  },
  {

the reason why I am copying keystore and truststore file (in my case the same file) is that is has been generated very long time ago and current process does not allow me to include new certificate into existing file

Hello, I think might be more of an Elasticsearch question. Only part where I can help is the question about restarting the cluster: Update certificates with the same CA | Elasticsearch Guide [master] | Elastic
It forces a new connection to use the new certificates. If you don't restart some long running connections could still be using the old one.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.