html/server/7.14/configuration-ssl.html

<!DOCTYPE html>
<html lang="en-us">
  <head>
    
<meta charset="UTF-8">
<title>SSL output settings | APM Server Reference [7.14] | Elastic</title>
<meta class="elastic" name="content" content="SSL output settings | APM Server Reference [7.14]">

<link rel="home" href="index.html" title="APM Server Reference [7.14]"/>
<link rel="up" href="configuration-ssl-landing.html" title="SSL/TLS settings"/>
<link rel="prev" href="configuration-ssl-landing.html" title="SSL/TLS settings"/>
<link rel="next" href="agent-server-ssl.html" title="SSL input settings"/>
<meta class="elastic" name="product_version" content="7.14"/>
<meta class="elastic" name="product_name" content="APM"/>
<meta class="elastic" name="website_area" content="documentation"/>
<meta name="DC.type" content="Learn/Docs/APM Server/Reference/7.14"/>
<meta name="DC.subject" content="APM"/>
<meta name="DC.identifier" content="7.14"/>
<meta name="robots" content="noindex,nofollow"/>

    <meta http-equiv="content-type" content="text/html; charset=utf-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <script src="https://cdn.optimizely.com/js/18132920325.js"></script>
    <link rel="apple-touch-icon" sizes="57x57" href="/apple-icon-57x57.png">
    <link rel="apple-touch-icon" sizes="60x60" href="/apple-icon-60x60.png">
    <link rel="apple-touch-icon" sizes="72x72" href="/apple-icon-72x72.png">
    <link rel="apple-touch-icon" sizes="76x76" href="/apple-icon-76x76.png">
    <link rel="apple-touch-icon" sizes="114x114" href="/apple-icon-114x114.png">
    <link rel="apple-touch-icon" sizes="120x120" href="/apple-icon-120x120.png">
    <link rel="apple-touch-icon" sizes="144x144" href="/apple-icon-144x144.png">
    <link rel="apple-touch-icon" sizes="152x152" href="/apple-icon-152x152.png">
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-icon-180x180.png">
    <link rel="icon" type="image/png" href="/favicon-32x32.png" sizes="32x32">
    <link rel="icon" type="image/png" href="/android-chrome-192x192.png" sizes="192x192">
    <link rel="icon" type="image/png" href="/favicon-96x96.png" sizes="96x96">
    <link rel="icon" type="image/png" href="/favicon-16x16.png" sizes="16x16">
    <link rel="manifest" href="/manifest.json">
    <meta name="apple-mobile-web-app-title" content="Elastic">
    <meta name="application-name" content="Elastic">
    <meta name="msapplication-TileColor" content="#ffffff">
    <meta name="msapplication-TileImage" content="/mstile-144x144.png">
    <meta name="theme-color" content="#ffffff">
    <meta name="naver-site-verification" content="936882c1853b701b3cef3721758d80535413dbfd" />
    <meta name="yandex-verification" content="d8a47e95d0972434" />
    <meta name="localized" content="true" />
    <meta name="st:robots" content="follow,index" />
    <meta property="og:image" content="https://static-www.elastic.co/v3/assets/bltefdd0b53724fa2ce/blt280217a63b82a734/6202d3378b1f312528798412/elastic-logo.svg" />
    <meta property="og:image:width" content="500" />
    <meta property="og:image:height" content="172" />
    <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
    <link rel="icon" href="/favicon.ico" type="image/x-icon">
    <link rel="apple-touch-icon-precomposed" sizes="64x64" href="/favicon_64x64_16bit.png">
    <link rel="apple-touch-icon-precomposed" sizes="32x32" href="/favicon_32x32.png">
    <link rel="apple-touch-icon-precomposed" sizes="16x16" href="/favicon_16x16.png">
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
    <link rel="stylesheet" type="text/css" href="/guide/static/styles-v1.css" />
  </head>

  <!--© 2015-2025 Elasticsearch B.V. -->
  <!-- All Elastic documentation is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License. -->
  <!-- http://creativecommons.org/licenses/by-nc-nd/4.0/ -->

  <body>
    <!-- Google Tag Manager -->
    <script>dataLayer = [];</script><noscript><iframe src="//www.googletagmanager.com/ns.html?id=GTM-58RLH5" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
    <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= '//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-58RLH5');</script>
    <!-- End Google Tag Manager -->

    <!-- Global site tag (gtag.js) - Google Analytics -->
    <script async src="https://www.googletagmanager.com/gtag/js?id=UA-12395217-16"></script>
    <script>
      window.dataLayer = window.dataLayer || [];
      function gtag(){dataLayer.push(arguments);}
      gtag('js', new Date());
      gtag('config', 'UA-12395217-16');
    </script>

    <!-- Google Tag Manager for GA4 -->
    <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-KNJMG2M');</script>
    <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KNJMG2M" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
    <!-- End Google Tag Manager for GA4-->

    <div id='elastic-nav' style="display:none;"></div>
    <script src='https://www.elastic.co/elastic-nav.js'></script>

    <div class="main-container">
      <section id="content" >
        <div class="content-wrapper">

          <section id="guide" lang="en">
            <div class="container-fluid">
              <div class="row pb-3">
                <div class="col-12 order-2 col-md-4 order-md-1 col-lg-3 h-almost-full-md sticky-top-md" id="left_col">
                  <!-- The TOC is appended here -->
                </div>

                <div class="col-12 order-1 col-md-8 order-md-2 col-lg-7 order-lg-2 guide-section" id="middle_col">
                  <!-- start body -->
                  
<div class="page_header">
A newer version is available. For the latest information, see the
<a href="../current/index.html">current release documentation</a>.
</div>
<div class="navheader">
<span class="prev">
<a href="configuration-ssl-landing.html">« SSL/TLS settings</a>
</span>
<span class="next">
<a href="agent-server-ssl.html">SSL input settings »</a>
</span>
</div>
<div class="book" lang="en">
<div class="titlepage">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="/guide/">Elastic Docs</a></span>
<span class="chevron-right">›</span><span class="breadcrumb-link">
  <div id="related-products" class="dropdown">
  <div class="related-products-title">APM:</div>
  <div class="dropdown-anchor" tabindex="0">Server Reference<span class="dropdown-icon"></span></div>
  <div class="dropdown-content">
  <ul>
  <li class="dropdown-category">APM</li>
  <ul>
  <li><a href="/guide/en/observability/current/apm.html">Observability › APM</a></li>
  </ul>
  <li class="dropdown-category">APM agents</li>
  <ul>
  <li><a href="/guide/en/apm/agent/android/current/intro.html">Android Agent Reference</a></li>
  <li><a href="/guide/en/apm/agent/go/current/introduction.html">Go Agent Reference</a></li>
  <li><a href="/guide/en/apm/agent/swift/current/intro.html">iOS Agent Reference</a></li>
  <li><a href="/guide/en/apm/agent/java/current/intro.html">Java Agent Reference</a></li>
  <li><a href="/guide/en/apm/agent/dotnet/current/intro.html">.NET Agent Reference</a></li>
  <li><a href="/guide/en/apm/agent/nodejs/current/intro.html">Node.js Agent Reference</a></li>
  <li><a href="/guide/en/apm/agent/php/current/intro.html">PHP Agent Reference</a></li>
  <li><a href="/guide/en/apm/agent/python/current/getting-started.html">Python Agent Reference</a></li>
  <li><a href="/guide/en/apm/agent/ruby/current/introduction.html">Ruby Agent Reference</a></li>
  <li><a href="/guide/en/apm/agent/rum-js/current/intro.html">Real User Monitoring JavaScript Agent Reference</a></li>
  </ul>
  <li class="dropdown-category">APM extensions</li>
  <ul>
  <li><a href="/guide/en/apm/lambda/current/aws-lambda-arch.html">AWS Lambda extension</a></li>
  <li><a href="/guide/en/apm/attacher/current/apm-attacher.html">Attacher</a></li>
  </ul>
  </ul>
  </div>
  </div>
<span class="chevron-right">›</span><span class="breadcrumb-link"><a href="configuring-howto-apm-server.html">Configure APM Server</a></span>
<span class="chevron-right">›</span><span class="breadcrumb-link"><a href="configuration-ssl-landing.html">SSL/TLS settings</a></span>
</div>
<div>
<div><h1 class="title"><a id="id-1"></a>SSL output settings</h1><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/apm-server/edit/7.14/docs/copied-from-beats/docs/shared-ssl-config.asciidoc">edit</a></div>
</div>
<!--EXTRA-->
</div>
<div id="content">
<div id="url-to-v3" class="version-warning">
    <strong>IMPORTANT</strong>: This documentation is no longer updated. Refer to <a href="https://www.elastic.co/support/eol">Elastic's version policy</a> and the <a href="https://www.elastic.co/docs">latest documentation</a>.
</div>
<div class="section">
<div class="titlepage"><div><div>
<div class="position-relative"><h2 class="title"><a id="configuration-ssl"></a>SSL output settings</h2><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/apm-server/edit/7.14/docs/copied-from-beats/docs/shared-ssl-config.asciidoc">edit</a></div>
</div></div></div>
<p>You can specify SSL options with any output that supports SSL, like Elasticsearch, Logstash, or Kafka.</p>
<p>Example output config with SSL enabled:</p>
<div class="pre_wrapper lang-yaml">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-yaml">output.elasticsearch.hosts: ["https://192.168.1.42:9200"]
output.elasticsearch.ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
output.elasticsearch.ssl.certificate: "/etc/pki/client/cert.pem"
output.elasticsearch.ssl.key: "/etc/pki/client/cert.key"</pre>
</div>
<p>Also see <a class="xref" href="configuring-ssl-logstash.html" title="Secure communication with Logstash"><em>Secure communication with Logstash</em></a>.</p>
<p>There are a number of SSL configuration options available to you:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<a class="xref" href="configuration-ssl.html#ssl-common-config" title="Common configuration options">Common configuration options</a>
</li>
<li class="listitem">
<a class="xref" href="configuration-ssl.html#ssl-client-config" title="Client configuration options">Client configuration options</a>
</li>
<li class="listitem">
<a class="xref" href="configuration-ssl.html#ssl-server-config" title="Server configuration options">Server configuration options</a>
</li>
</ul>
</div>
<div class="position-relative"><h4><a id="ssl-common-config"></a>Common configuration options</h4><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/apm-server/edit/7.14/docs/copied-from-beats/docs/shared-ssl-config.asciidoc">edit</a></div>
<p>Common SSL configuration options can be used in both client and server configurations.
You can specify the following options in the <code class="literal">ssl</code> section of each subsystem that
supports SSL.</p>
<div class="position-relative"><h5><a id="enabled"></a><code class="literal">enabled</code></h5><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/apm-server/edit/7.14/docs/copied-from-beats/docs/shared-ssl-config.asciidoc">edit</a></div>
<p>To disable SSL configuration, set the value to <code class="literal">false</code>. The default value is <code class="literal">true</code>.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>SSL settings are disabled if either <code class="literal">enabled</code> is set to <code class="literal">false</code> or the
<code class="literal">ssl</code> section is missing.</p>
</div>
</div>
<div class="position-relative"><h5><a id="supported-protocols"></a><code class="literal">supported_protocols</code></h5><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/apm-server/edit/7.14/docs/copied-from-beats/docs/shared-ssl-config.asciidoc">edit</a></div>
<p>List of allowed SSL/TLS versions. If SSL/TLS server decides for protocol versions
not configured, the connection will be dropped during or after the handshake. The
setting is a list of allowed protocol versions:
<code class="literal">SSLv3</code>, <code class="literal">TLSv1</code> for TLS version 1.0, <code class="literal">TLSv1.0</code>, <code class="literal">TLSv1.1</code>, <code class="literal">TLSv1.2</code>, and
<code class="literal">TLSv1.3</code>.</p>
<p>The default value is <code class="literal">[TLSv1.1, TLSv1.2, TLSv1.3]</code>.</p>
<div class="position-relative"><h5><a id="cipher-suites"></a><code class="literal">cipher_suites</code></h5><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/apm-server/edit/7.14/docs/copied-from-beats/docs/shared-ssl-config.asciidoc">edit</a></div>
<p>The list of cipher suites to use. The first entry has the highest priority.
If this option is omitted, the Go crypto library&#8217;s <a href="https://golang.org/pkg/crypto/tls/" class="ulink" target="_top">default suites</a>
are used (recommended). Note that TLS 1.3 cipher suites are not
individually configurable in Go, so they are not included in this list.</p>
<p>The following cipher suites are available:</p>
<div class="informaltable">
<table border="1" cellpadding="4px">
<colgroup>
<col class="col_1"/>
<col class="col_2"/>
</colgroup>
<thead>
<tr>
<th align="left" valign="top">Cypher</th>
<th align="left" valign="top">Notes</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left" valign="top"><p>ECDHE-ECDSA-AES-128-CBC-SHA</p></td>
<td align="left" valign="top"><p></p></td>
</tr>
<tr>
<td align="left" valign="top"><p>ECDHE-ECDSA-AES-128-CBC-SHA256</p></td>
<td align="left" valign="top"><p>TLS 1.2 only. Disabled by default.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p>ECDHE-ECDSA-AES-128-GCM-SHA256</p></td>
<td align="left" valign="top"><p>TLS 1.2 only.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p>ECDHE-ECDSA-AES-256-CBC-SHA</p></td>
<td align="left" valign="top"><p></p></td>
</tr>
<tr>
<td align="left" valign="top"><p>ECDHE-ECDSA-AES-256-GCM-SHA384</p></td>
<td align="left" valign="top"><p>TLS 1.2 only.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p>ECDHE-ECDSA-CHACHA20-POLY1305</p></td>
<td align="left" valign="top"><p>TLS 1.2 only.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p>ECDHE-ECDSA-RC4-128-SHA</p></td>
<td align="left" valign="top"><p>Disabled by default. RC4 not recommended.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p>ECDHE-RSA-3DES-CBC3-SHA</p></td>
<td align="left" valign="top"><p></p></td>
</tr>
<tr>
<td align="left" valign="top"><p>ECDHE-RSA-AES-128-CBC-SHA</p></td>
<td align="left" valign="top"><p></p></td>
</tr>
<tr>
<td align="left" valign="top"><p>ECDHE-RSA-AES-128-CBC-SHA256</p></td>
<td align="left" valign="top"><p>TLS 1.2 only. Disabled by default.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p>ECDHE-RSA-AES-128-GCM-SHA256</p></td>
<td align="left" valign="top"><p>TLS 1.2 only.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p>ECDHE-RSA-AES-256-CBC-SHA</p></td>
<td align="left" valign="top"><p></p></td>
</tr>
<tr>
<td align="left" valign="top"><p>ECDHE-RSA-AES-256-GCM-SHA384</p></td>
<td align="left" valign="top"><p>TLS 1.2 only.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p>ECDHE-RSA-CHACHA20-POLY1205</p></td>
<td align="left" valign="top"><p>TLS 1.2 only.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p>ECDHE-RSA-RC4-128-SHA</p></td>
<td align="left" valign="top"><p>Disabled by default. RC4 not recommended.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p>RSA-3DES-CBC3-SHA</p></td>
<td align="left" valign="top"><p></p></td>
</tr>
<tr>
<td align="left" valign="top"><p>RSA-AES-128-CBC-SHA</p></td>
<td align="left" valign="top"><p></p></td>
</tr>
<tr>
<td align="left" valign="top"><p>RSA-AES-128-CBC-SHA256</p></td>
<td align="left" valign="top"><p>TLS 1.2 only. Disabled by default.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p>RSA-AES-128-GCM-SHA256</p></td>
<td align="left" valign="top"><p>TLS 1.2 only.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p>RSA-AES-256-CBC-SHA</p></td>
<td align="left" valign="top"><p></p></td>
</tr>
<tr>
<td align="left" valign="top"><p>RSA-AES-256-GCM-SHA384</p></td>
<td align="left" valign="top"><p>TLS 1.2 only.</p></td>
</tr>
<tr>
<td align="left" valign="top"><p>RSA-RC4-128-SHA</p></td>
<td align="left" valign="top"><p>Disabled by default. RC4 not recommended.</p></td>
</tr>
</tbody>
</table>
</div>
<p>Here is a list of acronyms used in defining the cipher suites:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
3DES:
Cipher suites using triple DES
</li>
<li class="listitem">
AES-128/256:
Cipher suites using AES with 128/256-bit keys.
</li>
<li class="listitem">
CBC:
Cipher using Cipher Block Chaining as block cipher mode.
</li>
<li class="listitem">
ECDHE:
Cipher suites using Elliptic Curve Diffie-Hellman (DH) ephemeral key exchange.
</li>
<li class="listitem">
ECDSA:
Cipher suites using Elliptic Curve Digital Signature Algorithm for authentication.
</li>
<li class="listitem">
GCM:
Galois/Counter mode is used for symmetric key cryptography.
</li>
<li class="listitem">
RC4:
Cipher suites using RC4.
</li>
<li class="listitem">
RSA:
Cipher suites using RSA.
</li>
<li class="listitem">
SHA, SHA256, SHA384:
Cipher suites using SHA-1, SHA-256 or SHA-384.
</li>
</ul>
</div>
<div class="position-relative"><h5><a id="curve-types"></a><code class="literal">curve_types</code></h5><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/apm-server/edit/7.14/docs/copied-from-beats/docs/shared-ssl-config.asciidoc">edit</a></div>
<p>The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral key exchange).</p>
<p>The following elliptic curve types are available:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
P-256
</li>
<li class="listitem">
P-384
</li>
<li class="listitem">
P-521
</li>
<li class="listitem">
X25519
</li>
</ul>
</div>
<div class="position-relative"><h5><a id="ca-sha256"></a><code class="literal">ca_sha256</code></h5><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/apm-server/edit/7.14/docs/copied-from-beats/docs/shared-ssl-config.asciidoc">edit</a></div>
<p>This configures a certificate pin that you can use to ensure that a specific certificate is part of the verified chain.</p>
<p>The pin is a base64 encoded string of the SHA-256 of the certificate.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>This check is not a replacement for the normal SSL validation, but it adds additional validation.
If this option is used with  <code class="literal">verification_mode</code> set to <code class="literal">none</code>, the check will always fail because
it will not receive any verified chains.</p>
</div>
</div>
<div class="position-relative"><h4><a id="ssl-client-config"></a>Client configuration options</h4><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/apm-server/edit/7.14/docs/copied-from-beats/docs/shared-ssl-config.asciidoc">edit</a></div>
<p>You can specify the following options in the <code class="literal">ssl</code> section of each subsystem that
supports SSL.</p>
<div class="position-relative"><h5><a id="client-certificate-authorities"></a><code class="literal">certificate_authorities</code></h5><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/apm-server/edit/7.14/docs/copied-from-beats/docs/shared-ssl-config.asciidoc">edit</a></div>
<p>The list of root certificates for verifications is required. If <code class="literal">certificate_authorities</code> is empty or not set, the
system keystore is used. If <code class="literal">certificate_authorities</code> is self-signed, the host system
needs to trust that CA cert as well.</p>
<p>By default you can specify a list of files that <code class="literal">apm-server</code> will read, but you
can also embed a certificate directly in the <code class="literal">YAML</code> configuration:</p>
<div class="pre_wrapper lang-yaml">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-yaml">certificate_authorities:
  - |
    -----BEGIN CERTIFICATE-----
    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
    sxSmbIUfc2SGJGCJD4I=
    -----END CERTIFICATE-----</pre>
</div>
<div class="position-relative"><h5><a id="client-certificate"></a><code class="literal">certificate: "/etc/pki/client/cert.pem"</code></h5><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/apm-server/edit/7.14/docs/copied-from-beats/docs/shared-ssl-config.asciidoc">edit</a></div>
<p>The path to the certificate for SSL client authentication is only required if
<code class="literal">client_authentication</code> is specified. If the certificate
is not specified, client authentication is not available. The connection
might fail if the server requests client authentication. If the SSL server does not
require client authentication, the certificate will be loaded, but not requested or used
by the server.</p>
<p>When this option is configured, the <a class="xref" href="configuration-ssl.html#client-key" title="key: "/etc/pki/client/cert.key""><code class="literal">key</code></a> option is also required.
The certificate option support embedding of the certificate:</p>
<div class="pre_wrapper lang-yaml">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-yaml">certificate: |
    -----BEGIN CERTIFICATE-----
    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
    sxSmbIUfc2SGJGCJD4I=
    -----END CERTIFICATE-----</pre>
</div>
<div class="position-relative"><h5><a id="client-key"></a><code class="literal">key: "/etc/pki/client/cert.key"</code></h5><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/apm-server/edit/7.14/docs/copied-from-beats/docs/shared-ssl-config.asciidoc">edit</a></div>
<p>The client certificate key used for client authentication and is only required
if <code class="literal">client_authentication</code> is configured. The key option support embedding of the private key:</p>
<div class="pre_wrapper lang-yaml">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-yaml">key: |
    -----BEGIN PRIVATE KEY-----
    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI
    sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP
    Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F
    KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2
    MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z
    HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ
    nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx
    Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0
    eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/
    Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM
    epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve
    Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn
    BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8
    VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU
    zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5
    GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA
    5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7
    TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF
    hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li
    e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze
    Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T
    kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+
    kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav
    NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K
    0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc
    nygO9KTJuUiBrLr0AHEnqko=
    -----END PRIVATE KEY-----</pre>
</div>
<div class="position-relative"><h5><a id="client-key-passphrase"></a><code class="literal">key_passphrase</code></h5><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/apm-server/edit/7.14/docs/copied-from-beats/docs/shared-ssl-config.asciidoc">edit</a></div>
<p>The passphrase used to decrypt an encrypted key stored in the configured <code class="literal">key</code> file.</p>
<div class="position-relative"><h5><a id="client-verification-mode"></a><code class="literal">verification_mode</code></h5><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/apm-server/edit/7.14/docs/copied-from-beats/docs/shared-ssl-config.asciidoc">edit</a></div>
<p>Controls the verification of server certificates. Valid values are:</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">full</code>
</span>
</dt>
<dd>
Verifies that the provided certificate is signed by a trusted
authority (CA) and also verifies that the server&#8217;s hostname (or IP address)
matches the names identified within the certificate.
</dd>
<dt>
<span class="term">
<code class="literal">strict</code>
</span>
</dt>
<dd>
Verifies that the provided certificate is signed by a trusted
authority (CA) and also verifies that the server&#8217;s hostname (or IP address)
matches the names identified within the certificate. If the Subject Alternative
Name is empty, it returns an error.
</dd>
<dt>
<span class="term">
<code class="literal">certificate</code>
</span>
</dt>
<dd>
Verifies that the provided certificate is signed by a
trusted authority (CA), but does not perform any hostname verification.
</dd>
<dt>
<span class="term">
<code class="literal">none</code>
</span>
</dt>
<dd>
<p>
Performs <em>no verification</em> of the server&#8217;s certificate. This
mode disables many of the security benefits of SSL/TLS and should only be used
after cautious consideration. It is primarily intended as a temporary
diagnostic mechanism when attempting to resolve TLS errors; its use in
production environments is strongly discouraged.
</p>
<p>The default value is <code class="literal">full</code>.</p>
</dd>
</dl>
</div>
<div class="position-relative"><h4><a id="ssl-server-config"></a>Server configuration options</h4><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/apm-server/edit/7.14/docs/copied-from-beats/docs/shared-ssl-config.asciidoc">edit</a></div>
<p>You can specify the following options in the <code class="literal">ssl</code> section of each subsystem that
supports SSL.</p>
<div class="position-relative"><h5><a id="server-certificate-authorities"></a><code class="literal">certificate_authorities</code></h5><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/apm-server/edit/7.14/docs/copied-from-beats/docs/shared-ssl-config.asciidoc">edit</a></div>
<p>The list of root certificates for client verifications is only required if
<code class="literal">client_authentication</code> is configured. If <code class="literal">certificate_authorities</code> is empty or not set, and
<code class="literal">client_authentication</code> is configured, the system keystore is used.</p>
<p>If <code class="literal">certificate_authorities</code> is self-signed, the host system needs to trust that CA cert as well.
By default you can specify a list of files that <code class="literal">apm-server</code> will read, but you can also embed a certificate
directly in the <code class="literal">YAML</code> configuration:</p>
<div class="pre_wrapper lang-yaml">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-yaml">certificate_authorities:
  - |
    -----BEGIN CERTIFICATE-----
    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
    sxSmbIUfc2SGJGCJD4I=
    -----END CERTIFICATE-----</pre>
</div>
<div class="position-relative"><h5><a id="server-certificate"></a><code class="literal">certificate: "/etc/pki/server/cert.pem"</code></h5><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/apm-server/edit/7.14/docs/copied-from-beats/docs/shared-ssl-config.asciidoc">edit</a></div>
<p>For server authentication, the path to the SSL authentication certificate must
be specified for TLS. If the certificate is not specified, startup will fail.</p>
<p>When this option is configured, the <a class="xref" href="configuration-ssl.html#server-key" title="key: "/etc/pki/server/cert.key""><code class="literal">key</code></a> option is also required.
The certificate option support embedding of the certificate:</p>
<div class="pre_wrapper lang-yaml">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-yaml">certificate: |
    -----BEGIN CERTIFICATE-----
    MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
    ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
    MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
    BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
    fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
    94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
    /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
    PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
    CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
    BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
    8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
    874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
    3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
    H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
    8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
    yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
    sxSmbIUfc2SGJGCJD4I=
    -----END CERTIFICATE-----</pre>
</div>
<div class="position-relative"><h5><a id="server-key"></a><code class="literal">key: "/etc/pki/server/cert.key"</code></h5><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/apm-server/edit/7.14/docs/copied-from-beats/docs/shared-ssl-config.asciidoc">edit</a></div>
<p>The server certificate key used for authentication is required.
The key option support embedding of the private key:</p>
<div class="pre_wrapper lang-yaml">
<div class="console_code_copy" title="Copy to clipboard"></div>
<pre class="programlisting prettyprint lang-yaml">key: |
    -----BEGIN PRIVATE KEY-----
    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXHufGPycpCOfI
    sjl6cRn8NP4DLxdIVEAHFK0jMRDup32UQOPW+DleEsFpgN9/ebi9ngdjQfMvKnUP
    Zrl1HTwVhOJfazGeoJn7vdDeQebhJfeDXHwX2DiotXyUPYu1ioU45UZDAoAZFj5F
    KJLwWRUbfEbRe8yO+wUhKKxxkApPbfw+wUtBicn1RIX7W1nBRABt1UXKDIRe5FM2
    MKfqhEqK4hUWC3g1r+vGTrxu3qFpzz7L2UrRFRIpo7yuTUhEhEGvcVsiTppTil4Z
    HcprXFHf5158elEwhYJ5IM0nU1leNQiOgemifbLwkyNkLqCKth8V/4sezr1tYblZ
    nMh1cclBAgMBAAECggEBAKdP5jyOicqknoG9/G564RcDsDyRt64NuO7I6hBg7SZx
    Jn7UKWDdFuFP/RYtoabn6QOxkVVlydp5Typ3Xu7zmfOyss479Q/HIXxmmbkD0Kp0
    eRm2KN3y0b6FySsS40KDRjKGQCuGGlNotW3crMw6vOvvsLTlcKgUHF054UVCHoK/
    Piz7igkDU7NjvJeha53vXL4hIjb10UtJNaGPxIyFLYRZdRPyyBJX7Yt3w8dgz8WM
    epOPu0dq3bUrY3WQXcxKZo6sQjE1h7kdl4TNji5jaFlvD01Y8LnyG0oThOzf0tve
    Gaw+kuy17gTGZGMIfGVcdeb+SlioXMAAfOps+mNIwTECgYEA/gTO8W0hgYpOQJzn
    BpWkic3LAoBXWNpvsQkkC3uba8Fcps7iiEzotXGfwYcb5Ewf5O3Lrz1EwLj7GTW8
    VNhB3gb7bGOvuwI/6vYk2/dwo84bwW9qRWP5hqPhNZ2AWl8kxmZgHns6WTTxpkRU
    zrfZ5eUrBDWjRU2R8uppgRImsxMCgYEA2MxuL/C/Ko0d7XsSX1kM4JHJiGpQDvb5
    GUrlKjP/qVyUysNF92B9xAZZHxxfPWpdfGGBynhw7X6s+YeIoxTzFPZVV9hlkpAA
    5igma0n8ZpZEqzttjVdpOQZK8o/Oni/Q2S10WGftQOOGw5Is8+LY30XnLvHBJhO7
    TKMurJ4KCNsCgYAe5TDSVmaj3dGEtFC5EUxQ4nHVnQyCpxa8npL+vor5wSvmsfUF
    hO0s3GQE4sz2qHecnXuPldEd66HGwC1m2GKygYDk/v7prO1fQ47aHi9aDQB9N3Li
    e7Vmtdn3bm+lDjtn0h3Qt0YygWj+wwLZnazn9EaWHXv9OuEMfYxVgYKpdwKBgEze
    Zy8+WDm5IWRjn8cI5wT1DBT/RPWZYgcyxABrwXmGZwdhp3wnzU/kxFLAl5BKF22T
    kRZ+D+RVZvVutebE9c937BiilJkb0AXLNJwT9pdVLnHcN2LHHHronUhV7vetkop+
    kGMMLlY0lkLfoGq1AxpfSbIea9KZam6o6VKxEnPDAoGAFDCJm+ZtsJK9nE5GEMav
    NHy+PwkYsHhbrPl4dgStTNXLenJLIJ+Ke0Pcld4ZPfYdSyu/Tv4rNswZBNpNsW9K
    0NwJlyMBfayoPNcJKXrH/csJY7hbKviAHr1eYy9/8OL0dHf85FV+9uY5YndLcsDc
    nygO9KTJuUiBrLr0AHEnqko=
    -----END PRIVATE KEY-----</pre>
</div>
<div class="position-relative"><h5><a id="server-key-passphrase"></a><code class="literal">key_passphrase</code></h5><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/apm-server/edit/7.14/docs/copied-from-beats/docs/shared-ssl-config.asciidoc">edit</a></div>
<p>The passphrase is used to decrypt an encrypted key stored in the configured <code class="literal">key</code> file.</p>
<div class="position-relative"><h5><a id="server-verification-mode"></a><code class="literal">verification_mode</code></h5><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/apm-server/edit/7.14/docs/copied-from-beats/docs/shared-ssl-config.asciidoc">edit</a></div>
<p>Controls the verification of client certificates. Valid values are:</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">full</code>
</span>
</dt>
<dd>
Verifies that the provided certificate is signed by a trusted
authority (CA) and also verifies that the server&#8217;s hostname (or IP address)
matches the names identified within the certificate.
</dd>
<dt>
<span class="term">
<code class="literal">strict</code>
</span>
</dt>
<dd>
Verifies that the provided certificate is signed by a trusted
authority (CA) and also verifies that the server&#8217;s hostname (or IP address)
matches the names identified within the certificate. If the Subject Alternative
Name is empty, it returns an error.
</dd>
<dt>
<span class="term">
<code class="literal">certificate</code>
</span>
</dt>
<dd>
Verifies that the provided certificate is signed by a
trusted authority (CA), but does not perform any hostname verification.
</dd>
<dt>
<span class="term">
<code class="literal">none</code>
</span>
</dt>
<dd>
<p>
Performs <em>no verification</em> of the server&#8217;s certificate. This
mode disables many of the security benefits of SSL/TLS and should only be used
after cautious consideration. It is primarily intended as a temporary
diagnostic mechanism when attempting to resolve TLS errors; its use in
production environments is strongly discouraged.
</p>
<p>The default value is <code class="literal">full</code>.</p>
</dd>
</dl>
</div>
<div class="position-relative"><h5><a id="server-renegotiation"></a><code class="literal">renegotiation</code></h5><a class="edit_me" rel="nofollow" title="Edit this page on GitHub" href="https://github.com/elastic/apm-server/edit/7.14/docs/copied-from-beats/docs/shared-ssl-config.asciidoc">edit</a></div>
<p>This configures what types of TLS renegotiation are supported. The valid options
are:</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
<code class="literal">never</code>
</span>
</dt>
<dd>
Disables renegotiation.
</dd>
<dt>
<span class="term">
<code class="literal">once</code>
</span>
</dt>
<dd>
Allows a remote server to request renegotiation once per connection.
</dd>
<dt>
<span class="term">
<code class="literal">freely</code>
</span>
</dt>
<dd>
<p>
Allows a remote server to request renegotiation repeatedly.
</p>
<p>The default value is <code class="literal">never</code>.</p>
</dd>
</dl>
</div>
</div>
</div>
</div><div class="navfooter">
<span class="prev">
<a href="configuration-ssl-landing.html">« SSL/TLS settings</a>
</span>
<span class="next">
<a href="agent-server-ssl.html">SSL input settings »</a>
</span>
</div>

                  <!-- end body -->
                </div>

                <div class="col-12 order-3 col-lg-2 order-lg-3 h-almost-full-lg sticky-top-lg" id="right_col">
                  <div id="sticky_content">
                    <!-- The OTP is appended here -->
                    <div class="row">
                      <div class="col-0 col-md-4 col-lg-0" id="bottom_left_col"></div>
                      <div class="col-12 col-md-8 col-lg-12">
                        <div id="rtpcontainer">
                          <div class="mktg-promo" id="most-popular">
                            <p class="aside-heading">Most Popular</p>
                            <div class="pb-2">
                              <p class="media-type">Video</p>
                              <a href="https://www.elastic.co/webinars/getting-started-elasticsearch?page=docs&placement=top-video">
                                <p class="mb-0">Get Started with Elasticsearch</p>
                              </a>
                            </div>
                            <div class="pb-2">
                              <p class="media-type">Video</p>
                              <a href="https://www.elastic.co/webinars/getting-started-kibana?page=docs&placement=top-video">
                                <p class="mb-0">Intro to Kibana</p>
                              </a>
                            </div>
                            <div class="pb-2">
                              <p class="media-type">Video</p>
                              <a href="https://www.elastic.co/webinars/introduction-elk-stack?page=docs&placement=top-video">
                                <p class="mb-0">ELK for Logs & Metrics</p>
                              </a>
                            </div>
                          </div>
                        </div>

                        <!-- Feedback widget -->
                        <div id="feedbackWidgetContainer"></div>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </section>

        </div>


        <div id='elastic-footer'></div>
        <script src='https://www.elastic.co/elastic-footer.js'></script>
        <!-- Footer Section end-->

      </section>
    </div>

    <!-- Feedback modal -->
    <div id="feedbackModalContainer"></div>

    <script src="/guide/static/jquery.js"></script>
    <script type="text/javascript" src="/guide/static/docs-v1.js"></script>
    <script type="text/javascript">
  window.initial_state = {}</script>
  </body>
</html>