OpenSearch/x-pack/docs/en/rest-api/security/ssl.asciidoc

[role="xpack"]
[[security-api-ssl]]
=== SSL certificate API
++++
<titleabbrev>SSL certificate</titleabbrev>
++++

The `certificates` API enables you to retrieve information about the X.509
certificates that are used to encrypt communications in your {es} cluster.

==== Request

`GET /_ssl/certificates`


==== Description

For more information about how certificates are configured in conjunction with
Transport Layer Security (TLS), see
{stack-ov}/ssl-tls.html[Setting up SSL/TLS on a cluster].

The API returns a list that includes certificates from all TLS contexts
including:

* Settings for transport and HTTP interfaces
* TLS settings that are used within authentication realms
* TLS settings for remote monitoring exporters

The list includes certificates that are used for configuring trust, such as
those configured in the `xpack.security.transport.ssl.truststore` and
`xpack.security.transport.ssl.certificate_authorities` settings. It also
includes certificates that are used for configuring server identity, such as
`xpack.security.http.ssl.keystore` and
`xpack.security.http.ssl.certificate` settings.

The list does not include certificates that are sourced from the default SSL
context of the Java Runtime Environment (JRE), even if those certificates are in
use within {es}.

NOTE: When a PKCS#11 token is configured as the truststore of the JRE, the API
will return all the certificates that are included in the PKCS#11 token
irrespectively to whether these are used in the {es} TLS configuration or not.

If {es} is configured to use a keystore or truststore, the API output
includes all certificates in that store, even though some of the certificates
might not be in active use within the cluster.


==== Results

The response is an array of objects, with each object representing a
single certificate. The fields in each object are:

`path`:: (string) The path to the certificate, as configured in the
`elasticsearch.yml` file.
`format`:: (string) The format of the file. One of: `jks`, `PKCS12`, `PEM`.
`alias`:: (string) If the path refers to a container file (a jks keystore, or a
  PKCS#12 file), the alias of the certificate. Otherwise, null.
`subject_dn`:: (string) The Distinguished Name of the certificate's subject.
`serial_number`:: (string) The hexadecimal representation of the certificate's
serial number.
`has_private_key`:: (boolean) If {es} has access to the private key for this
certificate, this field has a value of `true`.
`expiry`:: (string) The ISO formatted date of the certificate's expiry
(not-after) date.

==== Authorization

If the {security-features} are enabled, you must have `monitor` cluster
privileges to use this API. For more information, see
{stack-ov}/security-privileges.html[Security Privileges].


==== Examples

The following example provides information about the certificates on a single
node of {es}:

[source,js]
--------------------------------------------------
GET /_ssl/certificates
--------------------------------------------------
// CONSOLE
// TEST

The API returns the following results:

[source,js]
----
[
  {
    "path": "certs/elastic-certificates.p12",
    "format": "PKCS12",
    "alias": "instance",
    "subject_dn": "CN=Elastic Certificate Tool Autogenerated CA",
    "serial_number": "a20f0ee901e8f69dc633ff633e5cd5437cdb4137",
    "has_private_key": false,
    "expiry": "2021-01-15T20:42:49.000Z"
  },
  {
    "path": "certs/elastic-certificates.p12",
    "format": "PKCS12",
    "alias": "ca",
    "subject_dn": "CN=Elastic Certificate Tool Autogenerated CA",
    "serial_number": "a20f0ee901e8f69dc633ff633e5cd5437cdb4137",
    "has_private_key": false,
    "expiry": "2021-01-15T20:42:49.000Z"
  },
  {
    "path": "certs/elastic-certificates.p12",
    "format": "PKCS12",
    "alias": "instance",
    "subject_dn": "CN=instance",
    "serial_number": "fc1905e1494dc5230218d079c47a617088f84ce0",
    "has_private_key": true,
    "expiry": "2021-01-15T20:44:32.000Z"
  }
]
----
// NOTCONSOLE