Hi @Jean-Claude Hope This Helps
Did you carefully read through this...
If Elasticsearch is using a self-signed cert , then the Elastic Agents need that CA or trusted fingerprint because Agents send Data directly to Elasticsearch
See Here
To encrypt traffic between Elastic Agents, Fleet Server, and Elasticsearch:
Configure Fleet settings. These settings are applied to all Fleet-managed Elastic Agents.
In Kibana, open the main menu, then click Management > Fleet > Settings.
Under Fleet Server hosts, specify the URLs Elastic Agents will use to connect to Fleet Server. For example, https://192.0.2.1:8220, where 192.0.2.1 is the host IP where you will install Fleet Server.
For host settings, use the
httpsprotocol. DNS-based names are also allowed.
- Under Outputs, search for the default output, then click the Edit icon in the Action column.
- In the Hosts field, specify the Elasticsearch URLs where Elastic Agents will send data. For example, https://192.0.2.0:9200.
- Specify either a CA certificate or CA fingerprint to connect securely Elasticsearch:
File path example:
- If you have a valid HEX encoded SHA-256 CA trusted fingerprint from root CA, specify it in the Elasticsearch CA trusted fingerprint field. To learn more, refer to the Elasticsearch security documentation.
- Otherwise, under Advanced YAML configuration, set
ssl.certificate_authoritiesand specify the CA certificate to use to connect to Elasticsearch. You can specify a list of file paths (if the files are available), or embed a certificate directly in the YAML configuration. If you specify file paths, the certificates must be available on the hosts running the Elastic Agents.File path example:
ssl.certificate_authorities: ["/path/to/your/elasticsearch-ca.crt"]
Look at the diagram on this page
Note: if you use the Advanced YAML configuration
ssl.certificate_authorities: ["/path/to/your/elasticsearch-ca.crt"]
That path / CA will need to be available and readable on all hosts you deploy the agent to.