Is it preferable to use publicly signed certificates for fleet server?

I'm reading through the documentation for fleet servers in elastic 8.7. On the subject of configuring TLS/SSL for fleet servers, I see this:

Is it preferable to create certificates for fleet servers with ./bin/elasticsearch-certutil ca --pem or is it preferable to use certificates signed by public certs like sectigo, let's encrypt etc...?

I made a mistake on another project where I used public certs for elastic cluster protocol on port 9300, in which public root certs basically let any elastic node join my cluster without any restriction.

Wasn't sure if something of similar nature would happen if using public certs for fleet servers?

Hi, I think elasticsearch-certutil is a utility, and any other tool can be used to create certificates, there is not really a preferable way.

For the ES nodes/agents you have to use certs signed by your server's CA, so I'm not sure what is the concern. Perhaps you have used a CA before that was reused between different clusters?

You can read more about ES certificates here: Set up basic security for the Elastic Stack | Elasticsearch Guide [8.7] | Elastic

1 Like

Thanks Julia! This was a question that I posted earlier and it was answered by a few people:

I wasn't sure if similar situation would happen with elastic agents and fleet servers?

If the certs were by signed by a public CA, would that cause any concerns for ES nodes/agents?