Skip to content

Clarify how certificate fingerprints work for Fleet Server#5138

Open
vishaangelova wants to merge 2 commits intomainfrom
447-ca-fingerprint
Open

Clarify how certificate fingerprints work for Fleet Server#5138
vishaangelova wants to merge 2 commits intomainfrom
447-ca-fingerprint

Conversation

@vishaangelova
Copy link
Contributor

@vishaangelova vishaangelova commented Feb 13, 2026

Summary

This PR:

  • Adds clarifications for configuring CA fingerprints
  • Adds a document that explains how CA fingerprints work and clarifies the difference between CA fingerprints and CA files.

Generative AI disclosure

  1. Did you use a generative AI (GenAI) tool to assist in creating this contribution?
  • Yes
  • No
  1. If you answered "Yes" to the previous question, please specify the tool(s) and model(s) used (e.g., Google Gemini, OpenAI ChatGPT-4, etc.).

Tool(s) and model(s) used: Cursor 2.4.36 with claude-4.5-sonnet

Preview

@vishaangelova vishaangelova requested a review from a team as a code owner February 13, 2026 15:09
@vishaangelova vishaangelova changed the title [WIP [WIP] Clarify how the certificate fingerprint works Feb 13, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 13, 2026

✅ Vale Linting Results

No issues found on modified lines!


The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

@vishaangelova vishaangelova marked this pull request as draft February 13, 2026 15:11
@vishaangelova vishaangelova changed the title [WIP] Clarify how the certificate fingerprint works Clarify how certificate fingerprints work for Fleet Server Feb 17, 2026
@vishaangelova vishaangelova marked this pull request as ready for review February 17, 2026 16:14
description: Use certificate fingerprints to secure Elastic Agent connections to Fleet Server and Elasticsearch without CA certificate files.
applies_to:
stack: ga
serverless: unavailable
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it correct to mark this document as serverless: unavailable?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think so. The TLS validation is independent of the Elasticsearch deployment type.

However, if an user is connecting to a serverless Elasticsearch, they don't need to set certificate authorities or fingerprint because Elastic always use trusted certificates. This is valid for both, serverless and ECH.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants

Comments