update testing/environments/docker/elasticsearch/pki certs

[AndersonQ]

Proposed commit message

update environments/docker/elasticsearch/pki certs
    
     - replace the expired certificates with certificated valid for 5 years
     - restore previous naming
     - update sha256 on certificate pinning tests
     - use keys in DER format

Checklist

• [ ] My code follows the style guidelines of this project
• [ ] I have commented my code, particularly in hard-to-understand areas
• [ ] I have made corresponding changes to the documentation
• [ ] I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• [ ] I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

• none

How to test this PR locally

• check the new certificates are valid for 5 yeas:

openssl x509 -noout -text -in testing/environments/docker/elasticsearch/pki/ca/ca.pem

openssl x509 -noout -text -in testing/environments/docker/elasticsearch/pki/elasticsearchssl/elasticsearchssl_cert.pem

Related issues

• n/a

[github-actions]

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @AndersonQ? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[mauri870]

Thanks for fixing this! I’m wondering if it would make sense to generate these files as part of CI so they’re always up to date. Otherwise, we’ll run into the same issue later and have to regenerate them. If that’s not possible, what’s the validity period of the certs you generated?

[AndersonQ]

the validity period of the certs you generated?

5 yeas, it's on the "how to test this PR"

I’m wondering if it would make sense to generate these files as part of CI so they’re always up to date

I was thinking about it as well. I rather have them generated on the fly as well. But first I'd like to unblock CI.
Also, from the rather quick look I had, the docker containers use them, and as far as I remember it should work everywhere, including windows. So it might need a bit more work than just changing a few lines on a test

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

[mauri870]

LGTM. I confirmed locally that the new certs are valid for 5 years.

[rdner]

@Mergifyio backport 8.19

[mergify]

backport 8.19

✅ Backports have been created

Details

• #48783 [8.19](backport #46337) update testing/environments/docker/elasticsearch/pki certs has been created for branch 8.19