I'm reading through the documentation for fleet servers in elastic 8.7. On the subject of configuring TLS/SSL for fleet servers, I see this:
Is it preferable to create certificates for fleet servers with ./bin/elasticsearch-certutil ca --pem or is it preferable to use certificates signed by public certs like sectigo, let's encrypt etc...?
I made a mistake on another project where I used public certs for elastic cluster protocol on port 9300, in which public root certs basically let any elastic node join my cluster without any restriction.
Wasn't sure if something of similar nature would happen if using public certs for fleet servers?
Hi, I think elasticsearch-certutil is a utility, and any other tool can be used to create certificates, there is not really a preferable way.
For the ES nodes/agents you have to use certs signed by your server's CA, so I'm not sure what is the concern. Perhaps you have used a CA before that was reused between different clusters?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.