I am attempting to update Elastic with a new certificate for the SSL keystore. I created a PFX with an updated certificate and secured it with a password equal to the current password as shown by the command "/usr/share/elasticsearch/bin/elasticsearch-keystore show xpack.security.http.ssl.keystore.secure_password".
When I copy the new PFX into place and restart Elastic, I get this warning:
[2025-04-16T09:34:45,188][WARN ][o.e.h.AbstractHttpServerTransport] [servername] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/127.0.0.1:9200, remoteAddress=/127.0.0.1:47862}
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
And log entries no longer flow to the indices as seen in Kibana. The new certificate uses a different trust chain than the old one, so do I need to add the new root and intermediate certificates to a trust store somewhere? I see a reference to a trust store in elasticsearch.yml, but the existing trust chain is not in it, only the Elastic-generated certificates.
Here is a snippet of my yml:
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: caes1-prod.pfx
