Skip to content

[Feature]: Allow bringing your own certificates for Elasticsearch #487

Description

@afeefghannam89

Describe the feature request

Current state

The elasticsearch role always uses certificates generated by elasticsearch-certutil.
elasticsearch.yml hardcodes the per-node p12 for both layers
(xpack.security.transport.ssl.* and xpack.security.http.ssl.*
certs/<host>.p12). There are no variables to use your own certificates or a
corporate/public CA.

Elasticsearch supports it

Using elasticsearch-certutil is not required — Elasticsearch accepts PEM
(certificate/key/certificate_authorities) or a keystore for both the transport
and HTTP layers. The beats role already exposes this via beats_tls_*; elasticsearch
does not.

Goal

Add variables so users can supply their own certificates / CA for Elasticsearch
(HTTP and transport layers) instead of the certutil-generated ones. All nodes must
share the same CA.

Safe defaults (non-breaking)

Default keeps today's certutil behaviour; the new options are additive.

Metadata

Metadata

Assignees

No one assigned

    Labels

    featureNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions