- Fleet and Elastic Agent Guide: other versions:
- Fleet and Elastic Agent overview
- Beats and Elastic Agent capabilities
- Quick starts
- Migrate from Beats to Elastic Agent
- Deployment models
- Install Elastic Agents
- Install Fleet-managed Elastic Agents
- Install standalone Elastic Agents
- Install Elastic Agents in a containerized environment
- Run Elastic Agent in a container
- Run Elastic Agent on Kubernetes managed by Fleet
- Install Elastic Agent on Kubernetes using Helm
- Example: Install standalone Elastic Agent on Kubernetes using Helm
- Example: Install Fleet-managed Elastic Agent on Kubernetes using Helm
- Advanced Elastic Agent configuration managed by Fleet
- Configuring Kubernetes metadata enrichment on Elastic Agent
- Run Elastic Agent on GKE managed by Fleet
- Run Elastic Agent on Amazon EKS managed by Fleet
- Run Elastic Agent on Azure AKS managed by Fleet
- Run Elastic Agent Standalone on Kubernetes
- Scaling Elastic Agent on Kubernetes
- Using a custom ingest pipeline with the Kubernetes Integration
- Environment variables
- Run Elastic Agent as an OTel Collector
- Run Elastic Agent without administrative privileges
- Install Elastic Agent from an MSI package
- Installation layout
- Air-gapped environments
- Using a proxy server with Elastic Agent and Fleet
- Uninstall Elastic Agents from edge hosts
- Start and stop Elastic Agents on edge hosts
- Elastic Agent configuration encryption
- Secure connections
- Manage Elastic Agents in Fleet
- Configure standalone Elastic Agents
- Create a standalone Elastic Agent policy
- Structure of a config file
- Inputs
- Providers
- Outputs
- SSL/TLS
- Logging
- Feature flags
- Agent download
- Config file examples
- Grant standalone Elastic Agents access to Elasticsearch
- Example: Use standalone Elastic Agent with Elastic Cloud Serverless to monitor nginx
- Example: Use standalone Elastic Agent with Elasticsearch Service to monitor nginx
- Debug standalone Elastic Agents
- Kubernetes autodiscovery with Elastic Agent
- Monitoring
- Reference YAML
- Manage integrations
- Package signatures
- Add an integration to an Elastic Agent policy
- View integration policies
- Edit or delete an integration policy
- Install and uninstall integration assets
- View integration assets
- Set integration-level outputs
- Upgrade an integration
- Managed integrations content
- Best practices for integrations assets
- Data streams
- Define processors
- Processor syntax
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_cef
- decode_csv_fields
- decode_duration
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- move_fields
- parse_aws_vpc_flow_log
- rate_limit
- registered_domain
- rename
- replace
- script
- syslog
- timestamp
- translate_sid
- truncate_fields
- urldecode
- Command reference
- Troubleshoot
- Release notes
Configure SSL/TLS for standalone Elastic Agents
editConfigure SSL/TLS for standalone Elastic Agents
editThere are a number of SSL configuration settings available depending on whether you are configuring a client, server, or both. See the following tables for available settings:
- Table 7, “Common configuration options”. These settings are valid in both client and server configurations.
- Table 8, “Client configuration options”
- Table 9, “Server configuration options”
For more information about using certificates, refer to Secure connections.
Table 7. Common configuration options
Setting | Description |
---|---|
(string) This configures a certificate pin that you can use to ensure that a specific certificate is part of the verified chain. The pin is a base64 encoded string of the SHA-256 of the certificate. This check is not a replacement for the normal SSL validation, but it adds
additional validation. If this setting is used with |
|
(list) The list of cipher suites to use. The first entry has the highest priority. If this option is omitted, the Go crypto library’s default suites are used (recommended). Note that TLS 1.3 cipher suites are not individually configurable in Go, so they are not included in this list. The following cipher suites are available:
Here is a list of acronyms used in defining the cipher suites:
|
|
(list) The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral key exchange). The following elliptic curve types are available:
|
|
(boolean) Enables or disables the SSL configuration. Default: SSL settings are disabled if either |
|
(list) List of allowed SSL/TLS versions. If the SSL/TLS server supports none
of the specified versions, the connection will be dropped during or after the
handshake. The list of allowed protocol versions include: Default: |
Table 8. Client configuration options
Setting | Description |
---|---|
(string) The path to the certificate for SSL client authentication. This
setting is only required if Example: ssl.certificate: "/path/to/cert.pem" When this setting is configured, the Specify a path, or embed a certificate directly in the ssl.certificate: | -----BEGIN CERTIFICATE----- CERTIFICATE CONTENT APPEARS HERE -----END CERTIFICATE----- |
|
(list) The list of root certificates for verifications (required). If
Example: ssl.certificate_authorities: ["/path/to/root/ca.pem"] Specify a list of files that Elastic Agent will read, or embed a certificate directly
in the ssl.certificate_authorities: - | -----BEGIN CERTIFICATE----- CERTIFICATE CONTENT APPEARS HERE -----END CERTIFICATE----- |
|
(string) The client certificate key used for client authentication. Only
required if Example: ssl.key: "/path/to/cert.key" Specify a path, or embed the private key directly in the ssl.key: | -----BEGIN PRIVATE KEY----- KEY CONTENT APPEARS HERE -----END PRIVATE KEY----- |
|
(string) The passphrase used to decrypt an encrypted key stored in the
configured |
|
(string) Controls the verification of server certificates. Valid values are:
Default: |
|
(string) A HEX encoded SHA-256 of a CA certificate. If this certificate is
present in the chain during the handshake, it will be added to the
Example: ssl.ca_trusted_fingerprint: 3b24d33844d6553...826 |
Table 9. Server configuration options
Setting | Description |
---|---|
(string) The path to the certificate for SSL server authentication. If the certificate is not specified, startup will fail. Example: ssl.certificate: "/path/to/server/cert.pem" When this setting is configured, the Specify a path, or embed a certificate directly in the ssl.certificate: | -----BEGIN CERTIFICATE----- CERTIFICATE CONTENT APPEARS HERE -----END CERTIFICATE----- |
|
(list) The list of root certificates for client verifications is only required
if Example: ssl.certificate_authorities: ["/path/to/root/ca.pem"] Specify a list of files that Elastic Agent will read, or embed a certificate directly
in the ssl.certificate_authorities: - | -----BEGIN CERTIFICATE----- CERTIFICATE CONTENT APPEARS HERE -----END CERTIFICATE----- |
|
(string) Configures client authentication. The valid options are:
Default: |
|
(string) The server certificate key used for authentication (required). Example: ssl.key: "/path/to/server/cert.key" Specify a path, or embed the private key directly in the ssl.key: | -----BEGIN PRIVATE KEY----- KEY CONTENT APPEARS HERE -----END PRIVATE KEY----- |
|
(string) The passphrase used to decrypt an encrypted key stored in the
configured |
|
(string) Configures the type of TLS renegotiation to support. The valid options are:
Default: |
|
(string) Controls the verification of client certificates. Valid values are:
Default: |