How to Use Multiple Remote Hosts for Reindexing

I'm just trying to get some clarification on how to use multiple remote hosts for reindexing.

It seems (from the official docs) you can list multiple old servers in your reindex.remote.whitelist easily with:

reindex.remote.whitelist: "otherhost:9200, another:9200, 127.0.10.*:9200, localhost:*"

As per:

But where I'm confused is, if all of those multiple servers are using certificates, I would assume you need to provide the SSL parameters in the config as well - but how do you provide that for multiple servers at the same time?

The normal SSL parameters for reindex as per:

And where my confusion lies is around providing those SSL parameters in the config, but for multiple servers (since I have multiple servers in the whitelist). If I have 1 server whitelisted, I easily put that servers appropriate SSL parameters in the config as well - but if I have 2 servers in the whitelist, how do I put the second servers SSL certificate path in the config as well?

For example here is my already working config with 1 server whitelisted:

reindex.remote.whitelist: oldserver:9200

reindex.ssl.certificate_authorities: ca_file_here.pem
reindex.ssl.keystore.path: oldserver.pfx
reindex.keystore.type: PKCS12
reindex.ssl.verification_mode: certificate

That is setup and works perfectly!

However I am now confused. If I were to put in another remote host I want to reindex from (to use the Elastic example a server called "another:9200" I am confused on how I also put the SSL certificate information in.

I assume there are 2 parts to this:

  1. Adding multiple server names to the reindex.remote.whitelist (which seems easy as the documentation shows)

Before:

reindex.remote.whitelist: oldserver:9200

After:

reindex.remote.whitelist: "oldserver:9200, another:9200"
  1. Add in the ssl parameters (as I did in my individual example) but how do I put in simultaneous entries? Since when it's 1 just server oldserver I can easily put the few config lines I need to mention the type of certificate, path to it, etc, etc. But if the 2nd server, another also has it's own certificate, how do I properly add that into the config as well?

To my knowledge I can't use duplicate config lines:

reindex.ssl.certificate_authorities: ca_file_here.pem
reindex.ssl.keystore.path: oldserver.pfx
reindex.keystore.type: PKCS12
reindex.ssl.verification_mode: certificate

# but how do I also put in the same settings for the 2nd server "another:9200"??
reindex.ssl.certificate_authorities: ca_file_here.pem
reindex.ssl.keystore.path: another.pfx
reindex.keystore.type: PKCS12
reindex.ssl.verification_mode: certificate

So how do I properly provide the config lines for both SSL certificates for the 2 servers whitelisted in reindex.remote.whitelist?

Furthermore - how would I add in the password to decrypt those certificates in the keystore The part I'm confused on there is, again, when I just have 1 certificate for the whitelisted server, it's easy to add it in via /bin/elasticsearch-keystore add reindex.ssl.keystore.secure_password but again if I have an additional server, how would I add in that 2nd server (in this case another:9200 certificate's password there. If I just ran that command again it would overwrite the original one (for my first server oldserver).

It almost seems like I need a way to have multiple/duplicate config entries in the config, but how do I differentiate them?