How do I extend the SSL Certificate expiry period?s

Hi everyone.
I have an ES Cluster(ES version 7.4.2) that has been running for 3 years.
when I run the following query.

GET _ssl/certificates

I'm getting the output.

"expiry" : "2022-11-20T07:27:29.000Z"

My cluster is in active use and shutting it down will be a problem for me. Is there a way to extend the certificate period? Or any suggestions.

7.4 is EOL and no longer supported, please upgrade :slight_smile:

You will need to replace the certificates with updated ones that have longer expirations. You should be able to do that with a rolling restart however.

Hi @warkolm. Thanks for answer.

in /usr/share/elasticsearch
For the new 'temescls01-ca.p12' certificate
I run './bin/elasticsearch-certutil cert --ca /etc/elasticsearch/certs/temescls01-ca.p12' and when I enter the 'CA CERT password' it generates a new temescl01-ca.p12 certificate.

For the new 'temescls01-certificates.p12' certificate
I run './bin/elasticsearch-certutil cert /etc/elasticsearch/certs/temescls01-certificates.p12' and enter the 'keystore password'.

I'm using the old certificates' passwords for both new certificates.

I was able to create all 2 certificates. But when I stop the elasticsearch service and replace the old certificates with new certificates by following the document here, the node cannot join the cluster. When I replace the old certificate, the node joins the cluster without any problems.

An example from elasticsearch.yml
elasticsearch.yml

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/temescls01-certificates.p12
xpack.security.transport.ssl.keystore.password: XXXXXXXXX
xpack.security.transport.ssl.truestore.path: certs/temescls01-certificates.p12
xpack.security.transport.ssl.truestore.password: XXXXXXXXX

Is there something i did wrong?

You will need to share logs please.

Hi @warkolm.
I solved the problem by following the steps in this article. In addition, I had to restart the service on a single node. I think it's because my ES version is 7.4.2.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.