To secure our ELK cluster we are using self-signed certificates generated by elasticsearch-certutil tool. Our ca.crt and certificates of nodes expired.
I would like to mention that many external filebeats connect to logstash and also use this ca.crt
What is the procedure to renew such certificates?
To renew your expired certificates, you can follow these steps:
- Generate a new CA certificate and key using the
elasticsearch-certutil tool. You can use the following command:
bin/elasticsearch-certutil ca --pem --days <validity_days> --out <output_directory>/ca.zip
<validity_days> with the number of days you want the certificate to be valid for, and
<output_directory> with the directory where you want to save the new CA certificate.
ca.zip file. You will find the new CA certificate and key in the
Generate new node certificates using the new CA certificate and key. You can use the following command:
bin/elasticsearch-certutil cert --ca-cert <path_to_ca_certificate> --ca-key <path_to_ca_key> --pem --days <validity_days> --out <output_directory>/certs.zip
<path_to_ca_key> with the paths to the new CA certificate and key,
<validity_days> with the number of days you want the certificates to be valid for, and
<_directory> with the directory where you want to save the new node certificates.
certs.zip file. You will find the new node certificates in the
Replace the old CA certificate and node certificates with the new ones in your Elasticsearch configuration.
Restart your Elasticsearch nodes for the changes to take effect.
Replace the old CA certificate with the new one in your Filebeat and Logstash configurations.
Restart your Filebeat and Logstash instances for the changes to take effect.
Remember to distribute the new CA certificate to all external Filebeat instances that connect to Logstash. They will need the new CA certificate to verify the identity of Logstash.
Please note that this process will cause downtime for your Elasticsearch cluster and Filebeat and Logstash instances. You should plan this operation during a maintenance window.
Disclaimer, OpsGPT assisted me with this answer.
@Opster_support thanks for your answer.
I have additional question regarding to filebeats clients. I understand that client certificates don't need to be re-created. Just replace the ca certificate only on clients machines and restart filebeat service. Am I right?
@d.silwon Yes, you're correct. If you're only updating the Certificate Authority (CA) certificate, you don't need to recreate the client certificates. You just need to replace the CA certificate on the client machines and restart the Filebeat service. However, please ensure that the client certificates were originally signed by the CA that you're updating. If not, you'll need to recreate and replace them as well.
@Opster_support Clients certificates were signed by expired CA. Thanks a lot for your involvement and assistance.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.