[DOCS] Steps for updating TLS certificates (#73781)

* [DOCS] Steps for updating TLS certificates * Updates for changing CA * Updates for rotating certs with a new CA * Add instructions for generating HTTP certs with a new CA * Add steps for creating HTTP certs with new CA * Clarify note about cluser restart and other edits * Clarifying scenarios * Apply suggestions from code review Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com> * Incorporating review feedback and making necessary changes * Clarifications and changes regarding restarts * Remove errant --pem in basic security setup * Incorporate suggestions from code review Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com> * Many, many updates. But good ones. * Add languages for snippets * Reorder steps to reference rolling restart throughout for consistency * Add clarifying what's next steps * Add instructions for updating Kibana certificate * Apply suggestions from Ioannis' stellar code review Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com> * Update instructions to use a single keystore, plus other review changes * Incorporating another round of review comments * Minor updates from reviewer feedback * Clarifying examples and fixing numbering * Skip tests that are creating unnecessary noise * Quieting other tests Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>
elastic · Jul 28, 2021 · 73e3b60 · 73e3b60
1 parent c1ba949
commit 73e3b60
Show file tree

Hide file tree

Showing 3 changed files with 774 additions and 3 deletions.
diff --git a/x-pack/docs/en/security/index.asciidoc b/x-pack/docs/en/security/index.asciidoc
@@ -92,6 +92,8 @@ See <<enable-audit-logging,Enable audit logging>>.
 
 include::configuring-stack-security.asciidoc[]
 
+include::securing-communications/update-tls-certificates.asciidoc[]
+
 include::authentication/overview.asciidoc[]
 
 include::authorization/overview.asciidoc[]

diff --git a/x-pack/docs/en/security/securing-communications/security-basic-setup.asciidoc b/x-pack/docs/en/security/securing-communications/security-basic-setup.asciidoc
@@ -91,16 +91,17 @@ generate a CA for your cluster.
 ----
 ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
 ----
++
+   `--ca <ca_file>`:: Name of the CA file used to sign your certificates. The
+   default file name from the `elasticsearch-certutil` tool is `elastic-stack-ca.p12`.
++
 
    a. Enter the password for your CA, or press *Enter* if you did not configure one in the previous step.
 
    b. Create a password for the certificate and accept the default file name.
 +
 The output file is a keystore named `elastic-certificates.p12`. This file
 contains a node certificate, node key, and CA certificate.
-+
-   `--ca <ca_file>`:: Name of the CA file used to sign your certificates. The
-   default file name from the `elasticsearch-certutil` tool is `elastic-stack-ca.p12`.
 
 . Copy the `elastic-certificates.p12` file to the `ES_PATH_CONF`
    directory on every node in your cluster.