Describe the feature request
Current state
The elasticsearch role always uses certificates generated by elasticsearch-certutil.
elasticsearch.yml hardcodes the per-node p12 for both layers
(xpack.security.transport.ssl.* and xpack.security.http.ssl.* →
certs/<host>.p12). There are no variables to use your own certificates or a
corporate/public CA.
Elasticsearch supports it
Using elasticsearch-certutil is not required — Elasticsearch accepts PEM
(certificate/key/certificate_authorities) or a keystore for both the transport
and HTTP layers. The beats role already exposes this via beats_tls_*; elasticsearch
does not.
Goal
Add variables so users can supply their own certificates / CA for Elasticsearch
(HTTP and transport layers) instead of the certutil-generated ones. All nodes must
share the same CA.
Safe defaults (non-breaking)
Default keeps today's certutil behaviour; the new options are additive.
Describe the feature request
Current state
The elasticsearch role always uses certificates generated by
elasticsearch-certutil.elasticsearch.ymlhardcodes the per-node p12 for both layers(
xpack.security.transport.ssl.*andxpack.security.http.ssl.*→certs/<host>.p12). There are no variables to use your own certificates or acorporate/public CA.
Elasticsearch supports it
Using
elasticsearch-certutilis not required — Elasticsearch accepts PEM(
certificate/key/certificate_authorities) or a keystore for both the transportand HTTP layers. The beats role already exposes this via
beats_tls_*; elasticsearchdoes not.
Goal
Add variables so users can supply their own certificates / CA for Elasticsearch
(HTTP and transport layers) instead of the certutil-generated ones. All nodes must
share the same CA.
Safe defaults (non-breaking)
Default keeps today's certutil behaviour; the new options are additive.