Need Clarification on How to Obtain ES SSL Certs for Fleet Server


I need clarification on the following prerequisite for setting up proper Fleet Server SSL/TLS certificates.

Excerpt from Configure SSL/TLS for self-managed Fleet Servers:

Elastic Agents require a PEM-formatted CA certificate to send encrypted data to Elasticsearch. If you followed the steps in Configure security for the Elastic Stack, your certificate will be in a p12 file. To convert it, use openssl:
openssl pkcs12 -in path.p12 -out cert.crt -clcerts -nokeys
openssl pkcs12 -in path.p12 -out private.key -nocerts -nodes
Key passwords are not currently supported.

I followed the steps that it mentions for setting up Elastic Stack security. I have a primary CA as elastic-stack-ca.p12. For each node I have two keystores, one for TLS/SSL and one for HTTPS: "elastic-certificates.p12" and "http.p12" respectively. These were generated for my three ES nodes using certutil and my primary CA, "elastic-stack-ca.p12", also created with the certutil. When this prerequisite says "certificate", which does it mean? Additionally, will converting this certificate to a .crt and .key file require re-configuring my ES nodes at all or can they continue to use the .p12 file?

Any help is greatly appreciated!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.