To renew your expired certificates, you can follow these steps:
- Generate a new CA certificate and key using the
elasticsearch-certutiltool. You can use the following command:
bin/elasticsearch-certutil ca --pem --days <validity_days> --out <output_directory>/ca.zip
Replace <validity_days> with the number of days you want the certificate to be valid for, and <output_directory> with the directory where you want to save the new CA certificate.
-
Unzip the
ca.zipfile. You will find the new CA certificate and key in thecadirectory. -
Generate new node certificates using the new CA certificate and key. You can use the following command:
bin/elasticsearch-certutil cert --ca-cert <path_to_ca_certificate> --ca-key <path_to_ca_key> --pem --days <validity_days> --out <output_directory>/certs.zip
Replace <path_to_ca_certificate> and <path_to_ca_key> with the paths to the new CA certificate and key, <validity_days> with the number of days you want the certificates to be valid for, and <_directory> with the directory where you want to save the new node certificates.
-
Unzip the
certs.zipfile. You will find the new node certificates in thecertsdirectory. -
Replace the old CA certificate and node certificates with the new ones in your Elasticsearch configuration.
-
Restart your Elasticsearch nodes for the changes to take effect.
-
Replace the old CA certificate with the new one in your Filebeat and Logstash configurations.
-
Restart your Filebeat and Logstash instances for the changes to take effect.
Remember to distribute the new CA certificate to all external Filebeat instances that connect to Logstash. They will need the new CA certificate to verify the identity of Logstash.
Please note that this process will cause downtime for your Elasticsearch cluster and Filebeat and Logstash instances. You should plan this operation during a maintenance window.
Disclaimer, OpsGPT assisted me with this answer.