Rotate X-Pack Certificate

security

(Stefan Schins) #1

I wrote a script to rotate X-Pack certificates but can't get Elasticsearch to start. How should certificates get rotated?


(Tim Vernum) #2

How should certificates get rotated?

It depends.

You can rotate certificates in place. Elasticsearch will detect changes to those files and reload them, but you will need to take care to update the key and certificate at the same time.

If the certificates are for the transport connection, then this will only work if they have the same trust-chain (CAs) are before (or, more accurately, if both the previous signing chain and the new signing chain are both trusted by all of the cluster nodes).

Alternatively, if you want to point to new certificate files, you may need to do rolling restarts. Depending on which certs you want to update you may potentially need to do multiple rounds of restarts to update CAs, then certs, then CAs.

We're much better at solving problems if you actually describe the error to us. What exactly is preventing ES from starting?


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.