SG Certificates are expiring, how to renew the SG Admin certificates

If you think it is a bug report or you have a technical issue, please answer the following questions. For general questions, you can delete these questions.

Elasticsearch version: 7.17.3

Server OS version: Windows 2019

Kibana version (if relevant): 7.17.3

Browser version (if relevant):

Browser OS version (if relevant):

Describe the issue:

Steps to reproduce:
1.
2.
3.

Expected behavior:

Provide configuration:
elasticsearch/config/elasticsearch.yml
elasticsearch/plugins/search-guard-7/sgconfig/sg_config.yml
kibana/config/kibana.yml (if relevant)

Provide logs:
Elasticsearch
Kibana (if relevant)

Screenshots (if relevant):

Errors in browser console (if relevant):

Additional data:

I am using the SG Community edition, can someone let me know the steps to renew the certificates for SG Admin and SG Client.

Thank you

Hi @amalk12,

Have you tried using TLS Tool?
You can see more info here: https://docs.search-guard.com/latest/offline-tls-tool

Best,
Mantas

You might as well be interested in https://docs.search-guard.com/latest/configuring-tls

thanks for the reply. will go through the docs.

I’ve had bad luck where the full CN of the cert changes between issuance, so I’ve added multiple admin cert CN’s over time. If the CN name just matches what you already have configured, you should be good to go without restarting. if you need to update cluster certs, you can do that in a rolling fashion; not sure if you need a restart, but I usually take the chance to upgrade my servers and stuff anyway.

Thanks for your response. i will keep this in mind, while i am performing the certs upgrade.

Thank you
AK

Hi ,

I have a question, where is the SG Admin and SG Client certificate located in the server. i have a SG installed on the windows servers. if some one can tell me the location where i can find these certs.

Thanks

some one can help me with this question. Is there any default SG Admin and Client certificates installed on the machine, can anyone let me know about the location

Hi @amalk12,

if you have Demo certificates installed you should see admin certs as per below:

   -cacert ../../elasticsearch-7.xx.xx/config/root-ca.pem 
   -cert ../../elasticsearch-7.xx.xx/config/kirk.pem 
   -key ../../elasticsearch-7.xx.xx/config/kirk-key.pem 

You can also use the Search Guard TLS Tool to generate new certificates, please see more info here : https://docs.search-guard.com/latest/offline-tls-tool

Please let me know if you need more guidance.

Best,
Mantas