From e4c1f54fe4a61f6c43cd25c7779bcac3e15b3c62 Mon Sep 17 00:00:00 2001 From: Aleksandra Spilkowska Date: Tue, 16 Sep 2025 14:51:42 +0200 Subject: [PATCH 1/2] Add a "Limitations" section to certificates-rotation --- reference/fleet/certificates-rotation.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/reference/fleet/certificates-rotation.md b/reference/fleet/certificates-rotation.md index 72d56968f5..19b41d772a 100644 --- a/reference/fleet/certificates-rotation.md +++ b/reference/fleet/certificates-rotation.md @@ -14,6 +14,8 @@ In some scenarioes you may want to rotate your configured certificate authoritie * [Rotating an {{es}} CA for connections from {{fleet-server}}](#certificates-rotation-fs-es) * [Rotating an {{es}} CA for connections from {{agent}}](#certificates-rotation-agent-es) +For important notes about current limitations (such as restart requirements and unsupported features), refer to [Limitations](#limitations). + ## Rotating a {{fleet-server}} CA [certificates-rotation-agent-fs] @@ -193,3 +195,23 @@ To rotate a CA certificate on {{es}} for connections from {{agent}}: :alt: Screen capture of the Edit Output UI: Elasticsearch CA trusted fingerprint :screenshot: ::: + +## Limitations + +Keep the following in mind when rotating certificates and certificate authorities (CAs): + +* **Agent restart required** + + Elastic Agent does not support hot reloading of updated certificates or CA files. You must restart the agent to apply changes. + +* **Directory loading not supported** + + Unlike Beats, Elastic Agent does not support passing a directory of CAs (for example, `--capath`) or monitoring a directory for changes. You must reference a specific file. + +* **Rotation without re-enrollment** + + When rotating a CA, you can avoid agent re-enrollment by including both the old and new CAs in the configured CA file, restarting the agent, and then removing the old CA after the switch. + +* **Mutual TLS (`--fleet-server-client-auth=required`)** + + If mTLS is enabled, you must apply the same overlap approach (adding a new CA before removing the old) on both client and server. The rotation process itself is otherwise unchanged. \ No newline at end of file From 4c14f9374fb532e8ab17bc6390f2f73eb17882a2 Mon Sep 17 00:00:00 2001 From: Aleksandra Spilkowska Date: Thu, 18 Sep 2025 09:29:51 +0200 Subject: [PATCH 2/2] Add placeholders --- reference/fleet/certificates-rotation.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/reference/fleet/certificates-rotation.md b/reference/fleet/certificates-rotation.md index 19b41d772a..b9f40ee5c1 100644 --- a/reference/fleet/certificates-rotation.md +++ b/reference/fleet/certificates-rotation.md @@ -202,11 +202,11 @@ Keep the following in mind when rotating certificates and certificate authoritie * **Agent restart required** - Elastic Agent does not support hot reloading of updated certificates or CA files. You must restart the agent to apply changes. + {{agent}} does not support hot reloading of updated certificates or CA files. You must restart the agent to apply changes. * **Directory loading not supported** - Unlike Beats, Elastic Agent does not support passing a directory of CAs (for example, `--capath`) or monitoring a directory for changes. You must reference a specific file. + Unlike {{beats}}, {{agent}} does not support passing a directory of CAs (for example, `--capath`) or monitoring a directory for changes. You must reference a specific file. * **Rotation without re-enrollment**