Where is fleet-server CA?

Elastic Stack Elasticsearch
1

Hello,

I am bit confused about fleet-server ca file? where is that stored? I mean I installed the elasticstack and then installed the fleet server on same server. Generated certificate using instances.yml

instances:
  - name: "elasticsearch"
    dns:
      - indsiem.example.local
      - es01
    ip:
      - "10.0.20.55"
  - name: "kibana"
    dns:
      - indsiem.example.local
      - kb01
    ip:
      - "10.0.20.55"
  - name: "fleet-server"
    dns:
      - indsiem.example.local
      - fleet01
    ip:
      - "10.0.20.55"

In this case I know ca/ca.crt is CA certificate but wondering where is fleet-server ca certificate stored?

when I connect to fleet-server and instpect the file here is what I see

 openssl s_client -connect 10.0.20.55:8220 -showcerts | openssl x509 -text -noout -subject -issuer
subject=O = elastic-fleet, CN = examplesiem
issuer=O = elastic-fleet, CN = localhost

I am not sure from where this certificate is generated? and who signed it?

My fleet-server.crt is not a CA for sure and its a lead certificate. Am I making mistake while installing fleet or generating certs?

openssl x509 -in /usr/share/elasticsearch/fleet-server/fleet-server.crt -noout -issuer -subject

issuer=CN = Elastic Certificate Tool Autogenerated CA
subject=CN = fleet-server
2

am I need to provide all those settings while installing fleet-server?

sudo ./elastic-agent install \
   --url=https://192.0.2.1:8220 \
   --fleet-server-es=https://192.0.2.0:9200 \
   --fleet-server-service-token=AAEBAWVsYXm0aWMvZmxlZXQtc2XydmVyL3Rva2VuLTE2MjM4OTAztDU1OTQ6dllfVW1mYnFTVjJwTC2ZQ0EtVnVZQQ \
   --fleet-server-policy=fleet-server-policy \
   --fleet-server-es-ca=/path/to/elasticsearch-ca.crt \
   --certificate-authorities=/path/to/ca.crt \
   --fleet-server-cert=/path/to/fleet-server.crt \
   --fleet-server-cert-key=/path/to/fleet-server.key \
   --fleet-server-port=8220 \
   --elastic-agent-cert=/tmp/fleet-server.crt \
   --elastic-agent-cert-key=/tmp/fleet-server.key \
   --elastic-agent-cert-key-passphrase=/tmp/fleet-server/passphrase-file \
   --fleet-server-es-cert=/tmp/fleet-server.crt \
   --fleet-server-es-cert-key=/tmp/fleet-server.key \
   --fleet-server-client-auth=required