Extend the expiry of the certificates

Hi, we have enabled security for Elasticsearch.
We extended the expiry of certificates.
But still instance certificate does not get changed and retains the default expiry of 3 years
Is there a way to make it work

You need to provide a lot more details if you want us to help you. We cannot guess what is going on, you need to tell us.

What exactly did you do?

What exactly did you do to check this expiry?

I used the cert util command to extend the expiry
elasticsearch-certutil ca --days 1460

When I check the certificate details using the endpoint /_ssl/certificates
I find one of the certificates which is with alias instance is always for 3 years
Can we extend the expiry for this as well

You can't change the expiry for an existing certificate. You can generate a new certificate, but you can't change a certificate.
The elasticsearch-certutil ca command generates a new certificate and signing key, so it is, in reality, a totally new CA.

What did you do with the new CA cert/key after you generated it?

yeah.. I created new certificates and then noticed that one of them with with alias as instance is created only till 3 years

I have generated new certificates for 4 years
I can see that from the response of the API
http://localhost:9200/_ssl/certificates
but one of that shows as "subject_dn": "CN=instance" and is generated only for 3 years
What does this refers to?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.