Skip to content

Commit

Permalink
Update hot reload documentation to show how DN validation can be skipped
Browse files Browse the repository at this point in the history
Signed-off-by: Paris Larkins <[email protected]>
  • Loading branch information
parislarkins committed Jan 17, 2025
1 parent 2957a1f commit eeb3d57
Showing 1 changed file with 9 additions and 1 deletion.
10 changes: 9 additions & 1 deletion _security/configuration/tls.md
Original file line number Diff line number Diff line change
Expand Up @@ -272,7 +272,15 @@ Updating expired or nearly expired TLS certificates does not require restarting
This setting is `false` by default.
{: .note }

After enabling hot reloading, use the Reload Certificates API to replace the expired certificates. The API expects the old certificates to be replaced with valid certificates issued with the same `Issuer/Subject DN` and `SAN`. The new certificates also need be stored in the same location as the previous certificates in order to prevent any changes to the `opensearch.yml` file.
After enabling hot reloading, use the Reload Certificates API to replace the expired certificates. The new certificates need to be stored in the same location as the previous certificates in order to prevent any changes to the `opensearch.yml` file.
By default, the API expects the old certificates to be replaced with valid certificates issued with the same `Issuer/Subject DN` and `SAN`. This behaviour can be disabled by adding the following settings in `opensearch.yml`:

```
plugins.security.ssl.http.enforce_cert_reload_dn_verification: false
plugins.security.ssl.transport.enforce_cert_reload_dn_verification: false
```

These settings are `true` by default.

Only a [superadmin]({{site.url}}{{site.baseurl}}/security/configuration/tls/#configuring-admin-certificates) can use the Reload Certificates API.
{: .note }
Expand Down

0 comments on commit eeb3d57

Please sign in to comment.