It’s not possible to extend the expiry date of a certificate. But you can create a new one. If you are using PKCS #12 format of SSL/TLS (p12) certificate you can use this article to create a new certificate.
# elasticsearch.yml
cluster.name: certificate
node.name: es03
network.host: 0.0.0.0
http.port: 9200
cluster.initial_master_nodes: ["es01", "es02", "es03"]
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.keystore.password: 1q2w3e
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.password: 1q2w3e
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.keystore.password: 1q2w3e
xpack.security.http.ssl.truststore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.password: 1q2w3eIn this example, I will use the same certificate for both the keystore and truststore. If you are using different certificates you don’t need to worry about it. You can follow the same operations. You will create ONE certificate for all nodes.
This means that the new certificate will be generated once and this new certificate will be copied to ALL nodes.
Lets start:
- #create a new CA certificate
./bin/elasticsearch-certutil ca
Please enter the desired output file [elastic-stack-ca.p12]: <enter>
Enter password for elastic-stack-ca.p12 : <type your old password>
elastic-stack-ca.p12 created. - #create a new client certificate
./bin/elasticsearch-certutil cert — ca elastic-stack-ca.p12
Enter password for CA (elastic-stack-ca.p12) : <type your old password>
Please enter the desired output file [elastic-certificates.p12]: <enter>
Enter password for elastic-certificates.p12 : <type your old password>
elastic-certificates.p12 created - # copy the new certificate to all nodes
When you copy the certificate you will see the following message in the elasticsearch.log [ ][INFO ][o.e.x.c.s.SSLConfigurationReloader] [es03] reloaded [/elasticsearch/elasticsearch_cluster/es03/config/elastic-certificates.p12] and updated SSL contexts using this file
Note: If you restart a node without copying the new certificate to all nodes you will get the following errors:
[][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [es02] client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress=/[0:0:0:0:0:0:0:1]:9300, remoteAddress=/[0:0:0:0:0:0:0:1]:57299, profile=default}
Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
[][WARN ][o.e.c.s.DiagnosticTrustManager] [es03] failed to establish trust with server at [<unknown host>]; the server provided a certificate with subject name [CN=instance] and fingerprint []; the certificate does not have any subject alternative names; the certificate is issued by [CN=Elastic Certificate Tool Autogenerated CA]; the certificate is signed by (subject [CN=Elastic Certificate Tool Autogenerated CA] fingerprint []) which is self-issued; the [CN=Elastic Certificate Tool Autogenerated CA] certificate is not trusted in this ssl context ([xpack.security.transport.ssl]); this ssl context does trust a certificate with subject [CN=Elastic Certificate Tool Autogenerated CA] but the trusted certificate has fingerprint [0d9848424c5cc9fec11b2bfcd6175511fd1a60f7]
Now you are using the new certificate
Elasticsearch checks certificates every 5 seconds. It will automatically detect the changes. So you don’t need to restart elasticsearch. If you want you can check the new certificate you can use the following command.
curl -k -u elastic:<password> ‘https://localhost:9200/_ssl/certificates?pretty’
Questions:
* How can I check my old password?
openssl pkcs12 -in elastic-certificates.p12 -nokeys | openssl x509 -noout -enddate
Enter Import Password: <type your old password>
MAC verified OK
notAfter=Nov 15 16:32:53 2025 GMT
If you get a similar output as above all is well and your password is correct.
* How can I extend the expiry date of the old certificate?
it’s not possible to extend it. You need to create a new one
- Can I set the expiry date of a new certificate?
Yes, you can. For both CA and CLIENT certificates you can set the expiry date with the following parameter “ — days”.
./bin/elasticsearch-certutil ca — days 7200 - I have updated the Elasticsearch certificates, is this certificate used elsewhere?
– Probably yes. Check your indexer applications such as Filebeat, and Logstash, and check your search applications such as Kibana, or any application. If these applications communicate using certificates, you should update the certificates there.
