In my system
http.p12 expired in 2025
http_ca.p12 expired in 2026
I renew the http.p12 to 2030 using the http_ca.p12.
May I know whehter http.p12 can work in 2027 (as http_ca.p12 expired in 2026)
If not. Is there any means to renew the http_ca.p12
Hello,
the http certs are only valid as long as the CA is valid. So unfortunately you will have to generate a new CA and also new HTTP Certs for every node.
I had the same problem one our cluster.
The following is described in the documentation: Different CA | Elastic Docs
You have to generate a new CA store/certificate with the elasticsearch-certutil command:
./bin/elasticsearch-certutil ca
This outputs a p12 store which you can then use to create new certificates for the nodes (like you have already done).
Attention: this is for some client not possible without downtime (clients where you can only define one CA to verify against, like with the fingerprint option in the Beats or Logstash).
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.