diff --git a/_api-reference/index.md b/_api-reference/index.md index 41d54989c8..815b4af365 100644 --- a/_api-reference/index.md +++ b/_api-reference/index.md @@ -61,6 +61,7 @@ This reference includes the REST APIs supported by OpenSearch. If a REST API is - [Supported units]({{site.url}}{{site.baseurl}}/api-reference/units/) - [Tasks]({{site.url}}{{site.baseurl}}/api-reference/tasks/) - [Transforms API]({{site.url}}{{site.baseurl}}/im-plugin/index-transforms/transforms-apis/) +- [Hot reload TLS certificates]({{site.url}}{{site.baseurl}}/security/configuration/tls/#hot-reloading-tls-certificates) diff --git a/_security/configuration/tls.md b/_security/configuration/tls.md index a207b384a1..307176c870 100755 --- a/_security/configuration/tls.md +++ b/_security/configuration/tls.md @@ -226,3 +226,43 @@ The default insecure SSL password settings have been deprecated. In order to use * plugins.security.ssl.transport.truststore_password_secure These settings allow for the use of encrypted passwords in the settings. + +## Hot reloading TLS certificates + +Updating expired or nearly expired TLS certificates does not require restarting the cluster. Instead, enable hot reloading of TLS cerificates by adding the following line to `opensearch.yml`: + + +`plugins.security.ssl_cert_reload_enabled: true` + +This setting is `false` by default. +{: .note } + +After enabling hot reloading, use the Reload Certificates API to replace the expired certificates. The API expects the old certificates to be replaced with valid certificates issued with the same `Issuer/Subject DN` and `SAN`. The new certificates also need be stored in the same location as the previous certificates in order to prevent any changes to the `opensearch.yml` file. + +Only a [superadmin]({{site.url}}{{site.baseurl}}/security/configuration/tls/#configuring-admin-certificates) can use the Reload Certificates API. +{: .note } + +### Reload TLS certificates on the transport layer + The following command reloads TLS certificates on the transport layer: + + ```json + curl --cacert --cert --key -XPUT https://localhost:9200/_plugins/_security/api/ssl/transport/reloadcerts + ``` + {% include copy.html %} + +You should receive the following response: +```{ "message": "successfully updated transport certs"}``` + +### Reload TLS certificates on the http layer + +The following command reloads TLS certificates on the `http` layer: + + ```json + curl --cacert --cert --key -XPUT https://localhost:9200/_plugins/_security/api/ssl/http/reloadcerts + ``` + {% include copy.html %} + +You should receive the following response: + +```{ "message": "successfully updated http certs"}``` +