Elastic Search SSL Certificate Expiry

Question

I'm new to Elastic search. Integrated my Spring boot application with Elastic search through Java High Level Rest Client and I've enabled security by providing below properties after setting up the certificate and passwords:

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

Will this certificate expire? If yes, then how to handle this scenario in production?

score 3 · Answer 1 · answered Jun 24 '20 at 13:16

3

As per my R&D: The self-signed SSL certificate generated through "elasticsearch-certutil" expires after 3 years once created, we will need to deploy new certificates then.

answered Jun 24 '20 at 13:16

Devkinandan Chauhan

1,785
1
17
42

score 3 · Accepted Answer · answered Jun 30 '20 at 05:52

3

Yes, you are correct. By default, the CA and Certificate expire in 3 years.

You can hit below GET API as per Elasticsearch documentation for checking the Expiry:

GET /_ssl/certificates

answered Jun 30 '20 at 05:52

Chandar Mohan

48
7

Thanks for the providing documentation reference! – Devkinandan Chauhan Jun 30 '20 at 05:55

score 1 · Answer 3 · edited Jul 05 '22 at 17:26

1

In case you won't have all the results in kibana with the API mentioned above, you can check manually with the following:

openssl pkcs12 -in **/path/to/cert/cert.p12** -clcerts -nodes -passin
   pass: | openssl x509 -noout -enddate

This works with .p12 certificates. The output will look like this in centos7:

MAC verified OK
notAfter=Nov 14 08:48:50 2024 GMT

edited Jul 05 '22 at 17:26

Tyler2P

2,324
26
22
31

answered Jul 04 '22 at 11:59

Marius Mihai

11
2

Elastic Search SSL Certificate Expiry

3 Answers3