To secure our ELK cluster we are using self-signed certificates generated by elasticsearch-certutil tool. Our ca.crt and certificates of nodes expired.
I would like to mention that many external filebeats connect to logstash and also use this ca.crt
What is the procedure to renew such certificates?
Best Regards,
Dan
Opster_support
(Elasticsearch community support @ Opster)
2
To renew your expired certificates, you can follow these steps:
Generate a new CA certificate and key using the elasticsearch-certutil tool. You can use the following command:
bin/elasticsearch-certutil ca --pem --days <validity_days> --out <output_directory>/ca.zip
Replace <validity_days> with the number of days you want the certificate to be valid for, and <output_directory> with the directory where you want to save the new CA certificate.
Unzip the ca.zip file. You will find the new CA certificate and key in the ca directory.
Generate new node certificates using the new CA certificate and key. You can use the following command:
Replace <path_to_ca_certificate> and <path_to_ca_key> with the paths to the new CA certificate and key, <validity_days> with the number of days you want the certificates to be valid for, and <_directory> with the directory where you want to save the new node certificates.
Unzip the certs.zip file. You will find the new node certificates in the certs directory.
Replace the old CA certificate and node certificates with the new ones in your Elasticsearch configuration.
Restart your Elasticsearch nodes for the changes to take effect.
Replace the old CA certificate with the new one in your Filebeat and Logstash configurations.
Restart your Filebeat and Logstash instances for the changes to take effect.
Remember to distribute the new CA certificate to all external Filebeat instances that connect to Logstash. They will need the new CA certificate to verify the identity of Logstash.
Please note that this process will cause downtime for your Elasticsearch cluster and Filebeat and Logstash instances. You should plan this operation during a maintenance window.
I have additional question regarding to filebeats clients. I understand that client certificates don't need to be re-created. Just replace the ca certificate only on clients machines and restart filebeat service. Am I right?
Opster_support
(Elasticsearch community support @ Opster)
4
@d.silwon Yes, you're correct. If you're only updating the Certificate Authority (CA) certificate, you don't need to recreate the client certificates. You just need to replace the CA certificate on the client machines and restart the Filebeat service. However, please ensure that the client certificates were originally signed by the CA that you're updating. If not, you'll need to recreate and replace them as well.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.