Elastic Search SSL Certificate Expiry

Question

I'm new to Elastic search. Integrated my Spring boot application with Elastic search through Java High Level Rest Client and I've enabled security by providing below properties after setting up the certificate and passwords:

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

Will this certificate expire? If yes, then how to handle this scenario in production?

Answer 1

In case you won't have all the results in kibana with the API mentioned above, you can check manually with the following:

openssl pkcs12 -in **/path/to/cert/cert.p12** -clcerts -nodes -passin
   pass: | openssl x509 -noout -enddate

This works with .p12 certificates. The output will look like this in centos7:

MAC verified OK
notAfter=Nov 14 08:48:50 2024 GMT

Answer 2

Yes, you are correct. By default, the CA and Certificate expire in 3 years.

You can hit below GET API as per Elasticsearch documentation for checking the Expiry:

GET /_ssl/certificates

Answer 3

As per my R&D: The self-signed SSL certificate generated through "elasticsearch-certutil" expires after 3 years once created, we will need to deploy new certificates then.