One-way and mutual TLS certifications flow
This page provides an overview of the relationship between the various certificates and certificate authorities (CAs) that you configure for Fleet Server and Elastic Agent, using the elastic-agent install TLS command options.
You can also configure one-way and mutual TLS connections using Kibana. Stack
The following elastic-agent install command configures a Fleet Server with the required certificates and certificate authorities to enable one-way TLS connections between the components involved:
elastic-agent install --url=https://your-fleet-server.elastic.co:443 \
--certificate-authorities=/path/to/fleet-ca \
--fleet-server-es=https://es.elastic.com:443 \
--fleet-server-es-ca=/path/to/es-ca \
--fleet-server-cert=/path/to/fleet-cert \
--fleet-server-cert-key=/path/to/fleet-cert-key \
--fleet-server-service-token=FLEET-SERVER-SERVICE-TOKEN \
--fleet-server-policy=FLEET-SERVER-POLICY-ID \
--fleet-server-port=8220
Elastic Agent is configured with fleet-ca as the certificate authority that it needs to validate certificates from Fleet Server.
During the TLS connection setup, Fleet Server presents its certificate fleet-cert to the agent and the agent (as a client) uses fleet-ca to validate the presented certificate.
Fleet Server also establishes a secure connection to an Elasticsearch cluster. In this case, Fleet Server is configured with the certificate authority from the Elasticsearch es-ca. Elasticsearch presents its certificate, es-cert, and Fleet Server validates the presented certificate using the certificate authority es-ca.
The following elastic-agent install command configures a Fleet Server with the required certificates and certificate authorities to enable mutual TLS connections between the components involved:
elastic-agent install --url=https://your-fleet-server.elastic.co:443 \
--certificate-authorities=/path/to/fleet-ca,/path/to/agent-ca \
--elastic-agent-cert=/path/to/agent-cert \
--elastic-agent-cert-key=/path/to/agent-cert-key \
--elastic-agent-cert-key=/path/to/agent-cert-key-passphrase \
--fleet-server-es=https://es.elastic.com:443 \
--fleet-server-es-ca=/path/to/es-ca \
--fleet-server-es-cert=/path/to/fleet-es-cert \
--fleet-server-es-cert-key=/path/to/fleet-es-cert-key \
--fleet-server-cert=/path/to/fleet-cert \
--fleet-server-cert-key=/path/to/fleet-cert-key \
--fleet-server-client-auth=required \
--fleet-server-service-token=FLEET-SERVER-SERVICE-TOKEN \
--fleet-server-policy=FLEET-SERVER-POLICY-ID \
--fleet-server-port=8220
As with the one-way TLS example, Elastic Agent is configured with fleet-ca as the certificate authority that it needs to validate certificates from the Fleet Server. Fleet Server presents its certificate fleet-cert to the agent and the agent (as a client) uses fleet-ca to validate the presented certificate.
To establish a mutual TLS connection, the agent presents its certificate, agent-cert, and Fleet Server validates this certificate using the agent-ca that it has stored in memory.
Fleet Server can also establish a mutual TLS connection to the Elasticsearch cluster. In this case, Fleet Server is configured with the certificate authority from the Elasticsearch es-ca and uses this to validate the certificate es-cert presented to it by Elasticsearch.
Note that you can also configure mutual TLS for Fleet Server and Elastic Agent using a proxy.
Stack
You can configure TLS and mutual TLS (mTLS) settings for Fleet Server and outputs using the Fleet UI.
To access these settings:
- In Kibana, go to Management > Fleet > Settings.
- Under Fleet Server hosts, select Add host or edit an existing host.
- Expand the SSL options or Authentication section.
The following table shows the available UI fields and their CLI equivalents:
| UI Field | CLI Flag | Purpose |
|---|---|---|
| Server SSL certificate authorities | --certificate-authorities |
CA to validate agent certificates (Fleet Server authenticates agent) |
| Client SSL certificate | --fleet-server-cert |
TLS certificate Fleet Server presents to agent (agent validates it) |
| Client SSL certificate key | --fleet-server-cert-key |
Key paired with the Fleet Server client certificate |
| Elasticsearch certificate authorities | --fleet-server-es-ca |
CA Fleet Server uses to validate Elasticsearch cert |
| SSL certificate for Elasticsearch | --fleet-server-es-cert |
Fleet Server’s mTLS certificate for Elasticsearch |
| SSL certificate key for Elasticsearch | --fleet-server-es-cert-key |
Key paired with the Fleet Server’s Elasticsearch certificate |
| Enable client authentication | --fleet-server-client-auth |
Require agents to present client certificates (mTLS only) |
To access these settings:
- In Kibana, go to Management > Fleet > Settings.
- Under Outputs, select Add output or edit an existing output.
- Expand the SSL options or Authentication section.
These apply to Elasticsearch and Remote Elasticsearch only, and are only necessary when setting up an mTLS connection:
| UI Field | CLI Flag | Purpose |
|---|---|---|
| Server SSL certificate authorities | --certificate-authorities |
CA the agent uses to verify the output’s TLS certificate |
| Client SSL certificate | --elastic-agent-cert |
Certificate used by agent to authenticate with output (for mTLS) |
| Client SSL certificate key | --elastic-agent-cert-key |
Key paired with agent mTLS certificate |
Editing SSL or proxy settings for an existing Fleet Server might cause agents to lose connectivity. After changing client certificate settings, you might need to re-enroll the affected agents.