Elastic Agents CA questions…

Balu · February 23, 2022, 10:32am

Hello peoples,

I have started playing with Fleet/Agents on our just upgraded 8.0 cluster and I am confused about how it works with the authoritative CA.

I have created my Elastic CA while installing the cluster using elasticsearch-certutil.

At the moment it seems I have to copy my elastic-stack-ca.crt file before installing an agent and use --certificate-authorities= to tell it to use that file.

Two questions that came to mind during that procedure:

Do I have to keep that file after installation (at that location) or does the agent copy it somewhere to use?
What are the settings "Elasticsearch CA trusted fingerprint" or "certificate_authorities" in the "Advanced YAML configuration" for if I still have to provide that file?

I have tried using --fleet-server-es-ca-trusted-fingerprint instead of providing the file, but that didn't seem to work.

Balu · February 25, 2022, 8:33pm

Ok, I have figured out one question myself.

I have to keep that file at that location or change the fleet.yml configuration:

rg -B1 elastic-stack-ca.crt  /opt/Elastic/Agent/
/opt/Elastic/Agent/fleet.yml
18-    certificate_authorities:
19:    - /home/user/elastic-stack-ca.crt

Remains the second question what "Elasticsearch CA trusted fingerprint" is for or how to use it?

system · March 25, 2022, 8:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.