---
title: Configure SSL/TLS for self-managed Fleet Servers
description: If you’re running a self-managed cluster, configure Transport Layer Security (TLS) to encrypt traffic between Elastic Agents, Fleet Server, and other...
url: https://www.elastic.co/elastic/docs-builder/docs/3016/reference/fleet/secure-connections
products:
- Elastic Agent
- Fleet
applies_to:
- Self-managed Elastic deployments: Generally available
---
# Configure SSL/TLS for self-managed Fleet Servers
If you’re running a self-managed cluster, configure Transport Layer Security (TLS) to encrypt traffic between Elastic Agents, Fleet Server, and other components in the Elastic Stack.
For the install settings specific to mutual TLS, as opposed to one-way TLS, refer to [Elastic Agent deployment models with mutual TLS](https://www.elastic.co/elastic/docs-builder/docs/3016/reference/fleet/mutual-tls).
For a summary of flow by which TLS is established between components using either one-way or mutual TLS, refer to [One-way and mutual TLS certifications flow](https://www.elastic.co/elastic/docs-builder/docs/3016/reference/fleet/tls-overview).
[Elastic Cloud](https://www.elastic.co/cloud/elasticsearch-service?page=docs&placement=docs-body) provides secure, encrypted connections out of the box!
## Prerequisites
Configure security and generate certificates for the Elastic Stack. For more information about securing the Elastic Stack, refer to [Secure your cluster, deployment, or project](https://www.elastic.co/elastic/docs-builder/docs/3016/deploy-manage/security/secure-your-cluster-deployment).
Elastic Agents require a PEM-formatted CA certificate to send encrypted data to Elasticsearch. If you followed the steps in [Secure your cluster, deployment, or project](https://www.elastic.co/elastic/docs-builder/docs/3016/deploy-manage/security/secure-your-cluster-deployment), your certificate will be in a p12 file. To convert it, use OpenSSL:
```shell
openssl pkcs12 -in path.p12 -out cert.crt -clcerts -nokeys
openssl pkcs12 -in path.p12 -out private.key -nocerts -nodes
```
Key passwords are not currently supported.
When you run Elastic Agent with the Elastic Defend integration, note the following TLS certificate requirements:
- Elastic Stack: Generally available since 9.1 The [TLS certificates](https://en.wikipedia.org/wiki/X.509) used to connect to Fleet Server and Elasticsearch can use either [RSA](https://en.wikipedia.org/wiki/RSA_(cryptosystem)) or Elliptic Curve (EC) keys.
- Elastic Stack: Generally available in 9.0 The TLS certificates used to connect to Fleet Server and Elasticsearch need to be generated using RSA.
For a full list of available algorithms to use when configuring TLS or mTLS, refer to [Configure SSL/TLS for standalone Elastic Agents](https://www.elastic.co/elastic/docs-builder/docs/3016/reference/fleet/elastic-agent-ssl-configuration). These settings are available for both standalone and Fleet-managed Elastic Agent.
## Generate a custom certificate and private key for Fleet Server
This section describes how to use the `certutil` tool provided by Elasticsearch, but you can use whatever process you typically use to generate PEM-formatted certificates.
1. Generate a certificate authority (CA). Skip this step if you want to use an existing CA.
```shell
./bin/elasticsearch-certutil ca --pem
```
This command creates a zip file that contains the CA certificate and key you’ll use to sign the Fleet Server certificate. Extract the zip file:
Store the files in a secure location.
2. Use the certificate authority to generate certificates for Fleet Server. For example:
```shell
./bin/elasticsearch-certutil cert \
--name fleet-server \
--ca-cert /path/to/ca/ca.crt \
--ca-key /path/to/ca/ca.key \
--dns your.host.name.here \
--ip 192.0.2.1 \
--pem
```
Where `dns` and `ip` specify the name and IP address of the Fleet Server. Run this command for each Fleet Server you plan to deploy.
This command creates a zip file that includes a `.crt` and `.key` file. Extract the zip file:
Store the files in a secure location. You’ll need these files later to encrypt traffic between Elastic Agents and Fleet Server.
## Configure SSL/TLS using CLI
Use the CLI to configure SSL or TLS when installing or enrolling Fleet Server. This method gives you granular control over certificate paths, verification modes, and authentication behavior.
### Encrypt traffic between Elastic Agents, Fleet Server, and Elasticsearch
Fleet Server needs a CA certificate or the CA fingerprint to connect securely to Elasticsearch. It also needs to expose a Fleet Server certificate so other Elastic Agents can connect to it securely.
For the steps in this section, imagine you have the following files:
| | |
|------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `ca.crt` | The CA certificate to use to connect to Fleet Server. This is the CA used to [generate a certificate and key](#generate-fleet-server-certs) for Fleet Server. |
| `fleet-server.crt` | The certificate you generated for Fleet Server. |
| `fleet-server.key` | The private key you generated for Fleet Server.If the `fleet-server.key` file is encrypted with a passphrase, the passphrase will need to be specified through a file. |
| `elasticsearch-ca.crt` | The CA certificate to use to connect to Elasticsearch. This is the CA used to generate certs for Elasticsearch (see [Prerequisites](#prereqs)).The CA certificate's SHA-256 fingerprint (hash) may be used instead of the `elasticsearch-ca.crt` file for securing connections to Elasticsearch. |
To encrypt traffic between Elastic Agents, Fleet Server, and Elasticsearch:
1. Configure Fleet settings. These settings are applied to all Fleet-managed Elastic Agents.
2. In Kibana, open the main menu, then select **Management > Fleet > Settings**.
1. Under **Fleet Server hosts**, specify the URLs Elastic Agents will use to connect to Fleet Server. For example, [https://192.0.2.1:8220](https://192.0.2.1:8220), where 192.0.2.1 is the host IP where you will install Fleet Server.
For host settings, use the `https` protocol. DNS-based names are also allowed.
2. In the **Outputs** section, search for the default output, then select the **Edit** icon in the **Actions** column.
3. In the **Hosts** field, specify the Elasticsearch URLs where Elastic Agents will send data. For example, [https://192.0.2.0:9200](https://192.0.2.0:9200).
4. Specify either a CA certificate or a CA fingerprint to connect securely to Elasticsearch:
- If you have a valid HEX-encoded SHA-256 CA trusted fingerprint, specify it in the **Elasticsearch CA trusted fingerprint** field. The fingerprint must be for a CA certificate that's present in the certificate chain Elasticsearch sends during the TLS handshake. For more information, refer to [Using certificate fingerprints](https://www.elastic.co/elastic/docs-builder/docs/3016/reference/fleet/certificate-fingerprints).
- Otherwise, specify the certificate authorities to use to connect to Elasticsearch.
You can specify the path to one or more CA certificates (if the files are available), or embed the certificate content directly. If you specify file paths, the certificates must be available on the hosts running the Elastic Agents.
1. Expand the **Authentication** section.
2. In the **Server SSL certificate authorities** field, specify the path to the CA certificate, or paste the certificate content directly.
3. (Optional) Select **Add row** to provide additional certificate authorities.
In the **Advanced YAML configuration** field, set `ssl.certificate_authorities` and specify one or more CA certificates to use to connect to Elasticsearch.File path example:
```yaml
ssl.certificate_authorities: ["/path/to/your/elasticsearch-ca.crt"]
```
Pasted certificate example:
```yaml
ssl:
certificate_authorities:
- |
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIVAKlphSqJclcni3P83gVsirxzuDuwMA0GCSqGSIb3DQEB
...
-----END CERTIFICATE-----
```
5. Install an Elastic Agent as a Fleet Server on the host and configure it to use TLS:
1. If you don’t already have a Fleet Server service token, select the **Agents** tab in Fleet and follow the instructions to generate the service token now.
The in-product installation steps are incomplete. Before running the `install` command, add the settings shown in the next step.
2. From the directory where you extracted Fleet Server, run the `install` command and specify the certificates to use.
The following command installs Elastic Agent as a service, enrolls it in the Fleet Server policy, and starts the service.
If you’re using DEB or RPM, or already have the Elastic Agent installed, use the `enroll` command along with the following options, then start the service as described in [Start Elastic Agent](/elastic/docs-builder/docs/3016/reference/fleet/start-stop-elastic-agent#start-elastic-agent-service).
```shell
sudo ./elastic-agent install \
--url=https://192.0.2.1:8220 \
--fleet-server-es=https://192.0.2.0:9200 \
--fleet-server-service-token=AAEBAWVsYXm0aWMvZmxlZXQtc2XydmVyL3Rva2VuLTE2MjM4OTAztDU1OTQ6dllfVW1mYnFTVjJwTC2ZQ0EtVnVZQQ \
--fleet-server-policy=fleet-server-policy \
--fleet-server-es-ca=/path/to/elasticsearch-ca.crt \
--certificate-authorities=/path/to/ca.crt \
--fleet-server-cert=/path/to/fleet-server.crt \
--fleet-server-cert-key=/path/to/fleet-server.key \
--fleet-server-port=8220 \
--elastic-agent-cert=/tmp/fleet-server.crt \
--elastic-agent-cert-key=/tmp/fleet-server.key \
--elastic-agent-cert-key-passphrase=/tmp/fleet-server/passphrase-file \
--fleet-server-es-cert=/tmp/fleet-server.crt \
--fleet-server-es-cert-key=/tmp/fleet-server.key \
--fleet-server-client-auth=required
```
Where:
Fleet Server URL.
Elasticsearch URL
Service token to use to communicate with Elasticsearch.
The specific policy that Fleet Server will use.
CA certificate that the current Fleet Server uses to connect to Elasticsearch.
List of paths to PEM-encoded CA certificate files that should be trusted for the other Elastic Agents to connect to this Fleet Server
The path for the PEM-encoded certificate (or certificate chain) which is associated with the fleet-server-cert-key to expose this Fleet Server HTTPS endpoint to the other Elastic Agents
Private key to use to expose this Fleet Server HTTPS endpoint to the other Elastic Agents
The certificate to use as the client certificate for Elastic Agent's connections to Fleet Server.
The path to the private key to use as for Elastic Agent's connections to Fleet Server.
The path to the file that contains the passphrase for the mutual TLS private key that Elastic Agent will use to connect to Fleet Server. The file must only contain the characters of the passphrase, no newline or extra non-printing characters. This option is only used if the `elastic-agent-cert-key` is encrypted and requires a passphrase to use.
The path to the client certificate that Fleet Server will use when connecting to Elasticsearch.
The path to the private key that Fleet Server will use when connecting to Elasticsearch.
One of `none`, `optional`, or `required`. Defaults to `none`. Fleet Server's client_authentication option for client mTLS connections. If `optional` or `required` is specified, client certificates are verified using CAs specified in the `--certificate-authorities` flag.
Additionally an optional passphrase for the private key may be specified with:
Passphrase file used to decrypt Fleet Server's private key.
What happens if you enroll Fleet Server without specifying certificates?
If the certificates are managed by your organization and installed at the system level, they will be used to encrypt traffic between Elastic Agents, Fleet Server, and Elasticsearch.
If system-level certificates don’t exist, Fleet Server automatically generates self-signed certificates. Traffic between Fleet Server and Elastic Agents over HTTPS is encrypted, but the certificate chain cannot be verified. Any Elastic Agents enrolling in Fleet Server will need to pass the `--insecure` flag to acknowledge that the certificate chain is not verified.
Allowing Fleet Server to generate self-signed certificates is useful to get things running for development, but not recommended in a production environment.
6. Install your Elastic Agents and enroll them in Fleet.
Elastic Agents connecting to a secured Fleet Server need to pass in the CA certificate used by the Fleet Server. The CA certificate used by Elasticsearch is already specified in the agent policy because it’s set under Fleet settings in Kibana. You do not need to pass it on the command line.
The following command installs Elastic Agent as a service, enrolls it in the agent policy associated with the specified token, and starts the service.
```shell
sudo elastic-agent install --url=https://192.0.2.1:8220 \
--enrollment-token= \
--certificate-authorities=/path/to/ca.crt
```
Where:
Fleet Server URL to use to enroll the Elastic Agent into Fleet.
The enrollment token for the policy that will be applied to the Elastic Agent.
CA certificate to use to connect to Fleet Server. This is the CA used to [generate a certificate and key](#generate-fleet-server-certs) for Fleet Server.
Don’t have an enrollment token? On the **Agents** tab in Fleet, select **Add agent**. Under **Enroll and start the Elastic Agent**, follow the in-product installation steps, making sure that you add the `--certificate-authorities` option before you run the command.
## Configure SSL/TLS using Kibana
- Elastic Stack: Generally available since 9.1
You can configure SSL/TLS settings for Fleet Server hosts directly in the Fleet UI, without relying on CLI flags or policy overrides.
To access these settings:
1. In **Kibana**, go to **Management > Fleet > Settings**.
2. Under **Fleet Server hosts**, select **Add host** or edit an existing host.
3. Expand the **SSL options** section.
### SSL options
These are the available UI fields and their CLI equivalents:
The following table shows the available UI fields and their CLI equivalents:
| **UI Field** | **CLI Flag** | **Purpose** |
|---------------------------------------|------------------------------|----------------------------------------------------------------------|
| Server SSL certificate authorities | `--certificate-authorities` | CA to validate agent certificates (Fleet Server authenticates agent) |
| Client SSL certificate | `--fleet-server-cert` | TLS certificate Fleet Server presents to agent (agent validates it) |
| Client SSL certificate key | `--fleet-server-cert-key` | Key paired with the Fleet Server client certificate |
| Elasticsearch certificate authorities | `--fleet-server-es-ca` | CA Fleet Server uses to validate Elasticsearch cert |
| SSL certificate for Elasticsearch | `--fleet-server-es-cert` | Fleet Server’s mTLS certificate for Elasticsearch |
| SSL certificate key for Elasticsearch | `--fleet-server-es-cert-key` | Key paired with the Fleet Server’s Elasticsearch certificate |
| Enable client authentication | `--fleet-server-client-auth` | Require agents to present client certificates (mTLS only) |
Editing SSL or proxy settings for an existing Fleet Server might cause agents to lose connectivity. After changing client certificate settings, you might need to re-enroll the affected agents.
To configure a mutual TLS connection from Fleet Server to Elasticsearch, use the Elasticsearch output settings. For more information, refer to [Output SSL options](/elastic/docs-builder/docs/3016/reference/fleet/tls-overview#output-ssl-options).