Elastic Agents CA questions…

Balu · February 23, 2022, 10:32am

Hello peoples,

I have started playing with Fleet/Agents on our just upgraded 8.0 cluster and I am confused about how it works with the authoritative CA.

I have created my Elastic CA while installing the cluster using elasticsearch-certutil.

At the moment it seems I have to copy my elastic-stack-ca.crt file before installing an agent and use --certificate-authorities= to tell it to use that file.

Two questions that came to mind during that procedure:

Do I have to keep that file after installation (at that location) or does the agent copy it somewhere to use?
What are the settings "Elasticsearch CA trusted fingerprint" or "certificate_authorities" in the "Advanced YAML configuration" for if I still have to provide that file?

I have tried using --fleet-server-es-ca-trusted-fingerprint instead of providing the file, but that didn't seem to work.

Balu · February 25, 2022, 8:33pm

Ok, I have figured out one question myself.

I have to keep that file at that location or change the fleet.yml configuration:

rg -B1 elastic-stack-ca.crt  /opt/Elastic/Agent/
/opt/Elastic/Agent/fleet.yml
18-    certificate_authorities:
19:    - /home/user/elastic-stack-ca.crt

Remains the second question what "Elasticsearch CA trusted fingerprint" is for or how to use it?

Topic		Replies	Views
Elastic Agent in Fleet producing 1000s of log entries per hours about CA certs Elasticsearch fleet	4	329	December 5, 2024
Difference between KIBANA_CA and KIBANA_FLEET_CA Elastic Agent	1	289	May 8, 2023
Manual certificate configuratio for fleet-server and elastic-agent Elasticsearch fleet	2	369	July 9, 2025
Possible bug with Elastic Agent ca certificate checks Elastic Security	11	4993	May 3, 2021
Where is fleet-server CA? Elasticsearch fleet	1	84	November 17, 2025

Elastic Agents CA questions…

Related topics