Update TLS certificates
This guide explains how to update TLS certificates in your cluster, the scenarios that require updates, and how to update certificate files and apply the changes.
You might need to update your TLS certificates in the following scenarios:
You are adding new nodes to your secured cluster. In this case, you need to generate certificates for the new nodes, preferably using the same Certificate Authority (CA).
A security breach has broken the trust of your certificate chain. This situation usually requires generating new certificates signed by a new CA.
Your current node certificates will expire soon. In this case, you need to generate new certificates for all nodes, using the same CA if it remains valid, or a new CA if the current one is also expiring.
Use the SSL certificate API to check when your certificates are expiring.
GET _ssl/certificatesTipYou can check your certificate's expiration date using third party tool OpenSSL:
openssl x509 -in /path/to/your/certificate.crt -noout -enddate
Before updating certificates, you will need to determine which scenario applies to your Certificate Authority (CA):
Same CA: You have the original certificate and key that you used to sign the existing nodes' certificates and you still trust it. You can use it to sign the new certificates.
Different CA: You need to generate a new or update trust to a different Certificate Authority. You can sign node certificates with your new CA.
Depending on which certificates you determine need addressed, you might need to update the certificates for the transport layer, the HTTP layer, or both.
If you determine you need to generate new certificates, then you might accomplish this by:
- reaching out to your IT team for organizationally approved certificates
- using the elasticsearch-certutil
To apply the new certificates to your cluster, either update the configuration on each node and perform a rolling restart of the cluster, or update the certificate files in place and allow Elasticsearch to automatically reload them.
You must complete a rolling restart if you modify any of the following:
- the
elasticsearch.ymlconfiguration - passwords for the certificate keys
- passwords stored in the keystore secure settings
To do an in-place update, copy the new certificate and key files (or keystore) into the Elasticsearch configuration directory. To use this method you must use the same file names. Elasticsearch monitors the SSL resources for updates on a five-second interval and will automatically detect changes and reload the keys and certificates.
While it’s possible to do an in-place update for security certificates, using a rolling restart on your cluster is safer and recommended. An in-place update avoids some complications of a rolling restart, but incurs the following risks:
- If you use PEM files, your certificate and key are in separate files. You must update both files simultaneously or the node might experience a temporary period where it cannot establish new connections.
- Updating the certificate and key does not automatically force existing connections to refresh. This means that even if you make a mistake, a node can seem like it’s functioning but only because it still has existing connections. It’s possible that a node will be unable to connect with other nodes, rendering it unable to recover from a network outage or node restart.