You might need to update your TLS certificates if your current node certificates expire soon, you’re adding new nodes to your secured cluster, or a security breach has broken the trust of your certificate chain. Use the SSL certificate API to check when your certificates are expiring.
In instances where you have access to the original Certificate Authority (CA) key and certificate that you used to sign your existing node certificates (and where you can still trust your CA), you can use that CA to sign the new certificates.
If you have to trust a new CA from your organization, or you need to generate a new CA yourself, you need to use this new CA to sign the new node certificates and instruct your nodes to trust the new CA. In this case, you’ll sign node certificates with your new CA and instruct your nodes to trust this certificate chain.
Depending on which certificates are expiring, you might need to update the certificates for the transport layer, the HTTP layer, or both.
Regardless of the scenario, Elasticsearch monitors the SSL resources for updates by default, on a five-second interval. You can just copy the new certificate and key files (or keystore) into the Elasticsearch configuration directory and your nodes will detect the changes and reload the keys and certificates.
Because Elasticsearch doesn’t reload the
you must use the same file names if you want to take advantage of automatic certificate and key reloading.
If you need to update the
elasticsearch.yml configuration or change
passwords for keys or keystores that are stored in the
secure settings, then you must complete a
rolling restart. Elasticsearch will not automatically reload changes for
passwords stored in the secure settings.