SG Certificates are expiring, how to renew the SG Admin certificates

Search Guard
1

If you think it is a bug report or you have a technical issue, please answer the following questions. For general questions, you can delete these questions.

Elasticsearch version: 7.17.3

Server OS version: Windows 2019

Kibana version (if relevant): 7.17.3

Browser version (if relevant):

Browser OS version (if relevant):

Describe the issue:

Steps to reproduce:
1.
2.
3.

Expected behavior:

Provide configuration:
elasticsearch/config/elasticsearch.yml
elasticsearch/plugins/search-guard-7/sgconfig/sg_config.yml
kibana/config/kibana.yml (if relevant)

Provide logs:
Elasticsearch
Kibana (if relevant)

Screenshots (if relevant):

Errors in browser console (if relevant):

Additional data:

2

I am using the SG Community edition, can someone let me know the steps to renew the certificates for SG Admin and SG Client.

Thank you

3

Hi @amalk12,

Have you tried using TLS Tool?
You can see more info here: https://docs.search-guard.com/latest/offline-tls-tool

Best,
Mantas

4

You might as well be interested in https://docs.search-guard.com/latest/configuring-tls

5

thanks for the reply. will go through the docs.

6

I’ve had bad luck where the full CN of the cert changes between issuance, so I’ve added multiple admin cert CN’s over time. If the CN name just matches what you already have configured, you should be good to go without restarting. if you need to update cluster certs, you can do that in a rolling fashion; not sure if you need a restart, but I usually take the chance to upgrade my servers and stuff anyway.

7

Thanks for your response. i will keep this in mind, while i am performing the certs upgrade.

Thank you
AK

8

Hi ,

I have a question, where is the SG Admin and SG Client certificate located in the server. i have a SG installed on the windows servers. if some one can tell me the location where i can find these certs.

Thanks

9

some one can help me with this question. Is there any default SG Admin and Client certificates installed on the machine, can anyone let me know about the location

10

Hi @amalk12,

if you have Demo certificates installed you should see admin certs as per below:

   -cacert ../../elasticsearch-7.xx.xx/config/root-ca.pem 
   -cert ../../elasticsearch-7.xx.xx/config/kirk.pem 
   -key ../../elasticsearch-7.xx.xx/config/kirk-key.pem

You can also use the Search Guard TLS Tool to generate new certificates, please see more info here : https://docs.search-guard.com/latest/offline-tls-tool

Please let me know if you need more guidance.

Best,
Mantas

11

Hi Mantas,
i am getting a notification that my SG Admin Cert and SG Client cert is expiring , but unfortunately i am unable to find these certs in my elk yaml file. so trying to figure out where these certs are and if they need to be renewed or not.

can i check which certs my SG is using currently … so i dont delete the existing certs

14

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.