Add hot reload TLS certificate section #433 (#6875) (#6975)

opensearch-project · Apr 18, 2024 · 717ee6c · 717ee6c
1 parent 28efa24
commit 717ee6c
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 0 deletions.
diff --git a/_api-reference/index.md b/_api-reference/index.md
@@ -61,6 +61,7 @@ This reference includes the REST APIs supported by OpenSearch. If a REST API is
 - [Supported units]({{site.url}}{{site.baseurl}}/api-reference/units/)
 - [Tasks]({{site.url}}{{site.baseurl}}/api-reference/tasks/)
 - [Transforms API]({{site.url}}{{site.baseurl}}/im-plugin/index-transforms/transforms-apis/)
+- [Hot reload TLS certificates]({{site.url}}{{site.baseurl}}/security/configuration/tls/#hot-reloading-tls-certificates)
 
 
 
diff --git a/_security/configuration/tls.md b/_security/configuration/tls.md
@@ -260,3 +260,43 @@ The default insecure SSL password settings have been deprecated. In order to use
 * plugins.security.ssl.transport.truststore_password_secure
 
 These settings allow for the use of encrypted passwords in the settings.
+
+## Hot reloading TLS certificates
+
+Updating expired or nearly expired TLS certificates does not require restarting the cluster. Instead, enable hot reloading of TLS cerificates by adding the following line to `opensearch.yml`:
+
+
+`plugins.security.ssl_cert_reload_enabled: true`
+
+This setting is `false` by default.
+{: .note }
+
+After enabling hot reloading, use the Reload Certificates API to replace the expired certificates. The API expects the old certificates to be replaced with valid certificates issued with the same `Issuer/Subject DN` and `SAN`. The new certificates also need be stored in the same location as the previous certificates in order to prevent any changes to the `opensearch.yml` file. 
+
+Only a [superadmin]({{site.url}}{{site.baseurl}}/security/configuration/tls/#configuring-admin-certificates) can use the Reload Certificates API.
+{: .note }
+
+### Reload TLS certificates on the transport layer
+ The following command reloads TLS certificates on the transport layer:
+
+  ```json
+  curl --cacert <ca.pem> --cert <admin.pem> --key <admin.key> -XPUT https://localhost:9200/_plugins/_security/api/ssl/transport/reloadcerts
+  ```
+  {% include copy.html %}
+
+You should receive the following response:
+```{ "message": "successfully updated transport certs"}```
+
+### Reload TLS certificates on the http layer
+
+The following command reloads TLS certificates on the `http` layer:
+
+  ```json
+  curl --cacert <ca.pem> --cert <admin.pem> --key <admin.key> -XPUT https://localhost:9200/_plugins/_security/api/ssl/http/reloadcerts
+  ```
+  {% include copy.html %}
+
+You should receive the following response:
+
+```{ "message": "successfully updated http certs"}```
+