Hi,
I have elasticsearch 8.6
My certificate is going to expire so I followed the process where restart of cluster is required
however I have tested just simple file replacement of CA cert and it seems to work even without restarting of the cluster, however I am affraid id this might be a misleading information
the process:
- execute GET _ssl/certificates
[
{
"path": "elastic-certificates.p12",
"format": "PKCS12",
"alias": "ca",
"subject_dn": "CN=Elastic Certificate Tool Autogenerated CA",
"serial_number": "aaaa",
"has_private_key": false,
"expiry": "2023-05-05T04:38:48.000Z", <---- expiry of current cert
"issuer": "CN=Elastic Certificate Tool Autogenerated CA"
},
-
just copy new cert to /etc/elasticsearch/elastic-certificates.p12 no restart
-
execute GET _ssl/certificates
I receive information that it has new cert
[
{
"path": "elastic-certificates.p12",
"format": "PKCS12",
"alias": "ca",
"subject_dn": "CN=Elastic Certificate Tool Autogenerated CA",
"serial_number": "xxx",
"has_private_key": false,
"expiry": "2026-04-10T11:19:35.000Z", <---- see here new expiry
"issuer": "CN=Elastic Certificate Tool Autogenerated CA"
},
{
the reason why I am copying keystore and truststore file (in my case the same file) is that is has been generated very long time ago and current process does not allow me to include new certificate into existing file