Spaces method and path for this operation:
post /s/{space_id}/api/fleet/message_signing_service/rotate_key_pair
Refer to Spaces for more information.
Rotate the key pair used by Fleet to sign messages sent to Elastic Agents. This operation is irreversible and requires all agents in the Fleet to be re-enrolled after rotation. You must explicitly acknowledge the risk by passing acknowledge=true as a query parameter.
[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all.
POST
/api/fleet/message_signing_service/rotate_key_pair
curl \
--request POST 'https://localhost:5601/api/fleet/message_signing_service/rotate_key_pair' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"
Response examples (200)
The key pair was rotated. All agents must be re-enrolled to receive the new signing key.
{
"message": "Key pair rotated successfully."
}
Response examples (400)
Request was rejected because the acknowledge query parameter was not set to true
{
"error": "Bad Request",
"message": "Warning: this API will cause a key pair to rotate and should not be necessary in normal operation. If you proceed, you may need to reinstall Agents in your network. You must acknowledge the risks of rotating the key pair with acknowledge=true in the request parameters. For more information, reach out to your administrator.",
"statusCode": 400
}
Response examples (500)
The message signing service is not available
{
"error": "Internal Server Error",
"message": "Failed to rotate key pair. Message signing service is unavailable!",
"statusCode": 500
}