Issue - Update security certificates with a different CA

Hi all

I followed the instructions at :-Update security certificates with a different CA | Elasticsearch Guide [7.17] | Elastic

I first tried restarting one node and get the below error

[2023-09-13T18:49:49,292][WARN ][o.e.c.s.DiagnosticTrustManager] failed to establish trust with server at []; the server provided a certificate with subject name [CN=instance] and fingerprint [a172d9229e7c3c1fae3bac25cc0b6a7d0cede1c2]; the certificate does not have any subject alternative names; the certificate is issued by [CN=Elastic Certificate Tool Autogenerated CA]; the certificate is signed by (subject [CN=Elastic Certificate Tool Autogenerated CA] fingerprint [ce84943b4c84bda30754c26675081b7bc8e6dccc]) which is self-issued; the [CN=Elastic Certificate Tool Autogenerated CA] certificate is not trusted in this ssl context ([]); this ssl context does trust a certificate with subject [CN=Elastic Certificate Tool Autogenerated CA] but the trusted certificate has fingerprint [421a33b762eb7964776b45740f7fc022ec77d64d]

Any suggestions would be greatly appreciated.

It looks like you have a mix of old and new certificates still in use.

Specifically you have 2 different certificates the have a subject of CN=Elastic Certificate Tool Autogenerated CA. It is likely that one of them is the old CA and the other is the new CA.

Hi Tim!

Thanks for your reply, I truly appreciate it.

From the documentation this is expected. The output should contain both the existing CA certificate and your new certificate.

Would it help to generate the new CA with a different CN?

  1. On every node in your cluster, import the new ca.crt certificate into your existing CA truststore. This step ensures that your cluster trusts the new CA certificate. This example uses the Java keytool utility to import the certificate into the elastic-stack-ca.p12 CA truststore.

keytool -importcert -trustcacerts -noprompt -keystore elastic-stack-ca.p12 \ -storepass -alias new-ca -file ca.crt

  1. Check that the new CA certificate was added to your truststore.

keytool -keystore config/elastic-stack-ca.p12 -list

When prompted, enter the password for the CA truststore.The output should contain both the existing CA certificate and your new certificate. If you previously used the elasticsearch-certutil tool to generate your keystore, the alias of the old CA defaults to ca and the type of entry is PrivateKeyEntry.

I ended up doing a full restart on the newly generated p12 files and stack came up happy.

Thanks for the help!