Elastic Agents CA questions…

Hello peoples,

I have started playing with Fleet/Agents on our just upgraded 8.0 cluster and I am confused about how it works with the authoritative CA.

I have created my Elastic CA while installing the cluster using elasticsearch-certutil.

At the moment it seems I have to copy my elastic-stack-ca.crt file before installing an agent and use --certificate-authorities= to tell it to use that file.

Two questions that came to mind during that procedure:

  • Do I have to keep that file after installation (at that location) or does the agent copy it somewhere to use?
  • What are the settings "Elasticsearch CA trusted fingerprint" or "certificate_authorities" in the "Advanced YAML configuration" for if I still have to provide that file?

I have tried using --fleet-server-es-ca-trusted-fingerprint instead of providing the file, but that didn't seem to work.

Ok, I have figured out one question myself.

I have to keep that file at that location or change the fleet.yml configuration:

rg -B1 elastic-stack-ca.crt  /opt/Elastic/Agent/
18-    certificate_authorities:
19:    - /home/user/elastic-stack-ca.crt

Remains the second question what "Elasticsearch CA trusted fingerprint" is for or how to use it?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.