Open
Description
We do not provide guidance on how to approach a CA certificates replacement in Fleet Server and/or Elasticsearch with Fleet-managed Elastic Agents.
The CA used by Elastic Agent to trust the Fleet Server cannot be provided in the policy. It is only available as a command line parameter and it points to a local file.
- Do we support multiple CAs in Elastic Agents?
- Can we hot-swap the CA (is it reloaded by Elastic Agent) or it is reloaded only at startup?
Ideally, for updating the CA in Fleet Server without downtime:
- All the Elastic Agents enrolled to the Fleet Server should be updated to trust both the OLD CA and NEW CA. How?
- Fleet Server can be restarted, replacing the Fleet Server certificates and CA. How?
Ideally, for updating the CA in Elasticsearch without downtime:
- All the Elastic Agents enrolled to the Fleet Server should be updated to trust both the OLD CA and NEW CA. Elasticsearch certs are typically defined in the Fleet UI / Output settings (via reference to a file or embedded in the policy). How?
- Fleet Server should be also configured to trust both the OLD CA and NEW CA of Elasticsearch. How?
- Elasticsearch should be roll-restarted to update their CA. How to do it it is not in the scope of the guide.