Renew http.p12 and http_ca.p12

In my system
http.p12 expired in 2025
http_ca.p12 expired in 2026

I renew the http.p12 to 2030 using the http_ca.p12.
May I know whehter http.p12 can work in 2027 (as http_ca.p12 expired in 2026)
If not. Is there any means to renew the http_ca.p12

Hello,

the http certs are only valid as long as the CA is valid. So unfortunately you will have to generate a new CA and also new HTTP Certs for every node.

I had the same problem one our cluster.

The following is described in the documentation: Different CA | Elastic Docs

You have to generate a new CA store/certificate with the elasticsearch-certutil command:

./bin/elasticsearch-certutil ca

This outputs a p12 store which you can then use to create new certificates for the nodes (like you have already done).

Attention: this is for some client not possible without downtime (clients where you can only define one CA to verify against, like with the fingerprint option in the Beats or Logstash).

3 Likes