Yes, I assumed that was the case, but I wanted to be really clear.
It depends on exactly what you're trying to achieve, but yes, it's the CA cert.
SSL can be used for 3 things (but doesn't need to do all of them)
- Confidentiality (Encryption)
- Server identity
- Client identity
Most of the time only (1) and (2) apply.
In a web browser environment, SSL makes sure your connection is encrypted, and the certificate checking makes sure you're connecting to the right server, but it's not normally used to check the identity of the user operating the browser. It can be, but normally you just pass a username + password over the encrypted SSL connection.
Logstash is the same. It is the client to the ES server, and you can use a client certificate to establish the identity of the logstash process, but it is more commonly that case that use just use a username + password.
That means your logstash process doesn't need its own certificate because it's not trying to establish its own identity via SSL certs. It does, however, need to know how to check the identity of the server. For that it needs a copy of the CA certificate. The CA is the participant that is asserting the identity of the ES server, and the Logstash process needs to trust that CA by being configured with a copy of the CA cert.
If you to use SSL to eastblish the Logstash process's identity, then you'll need a different configuration on both the Logstash side and the ES side.