Manage TLS encryption in self-managed deployments

Self Managed

This section provides guidance on managing TLS certificates in self-managed deployments after the initial security setup. It covers tasks such as configuring mutual authentication, renewing certificates, and customizing supported TLS versions and cipher suites.

If you're looking to secure a new or existing cluster by setting up TLS for the first time, refer to Set up security in self-managed deployments, which covers both the automatic and manual configuration procedures.

The topics in this section focus on post-setup tasks:

• Mutual TLS authentication between Kibana and Elasticsearch: Strengthen security by requiring Kibana to use a client certificate when connecting to Elasticsearch.
• Update TLS certificates: Renew or replace existing TLS certificates before they expire.
• Supported SSL/TLS versions by JDK version: Customize the list of supported SSL/TLS versions in your cluster.
• Enabling cipher suites for stronger encryption: Enable additional cipher suites for TLS communications, including those used with authentication providers.

For an overview of the endpoints that can be secured in Elasticsearch and Kibana, refer to Communication channels.

In self-managed deployments, you are responsible for certificate lifecycle management, including monitoring expiration dates, renewing certificates, and redeploying them as needed. If you used Elastic tools to generate your certificates, refer to Update TLS certificates for guidance on rotating or replacing them.

Refer to Transport TLS/SSL settings and HTTP TLS/SSL settings for the complete list of TLS-related settings in Elasticsearch.

For Kibana, refer to Kibana general settings, and search for all ssl-related settings. TLS settings for the HTTPS server are under the server.ssl namespace, while settings for the connection to Elasticsearch are under elasticsearch.ssl.