We do not provide guidance on how to approach a CA certificates replacement in Fleet Server and/or Elasticsearch with Fleet-managed Elastic Agents.

The CA used by Elastic Agent to trust the Fleet Server cannot be provided in the policy. It is only available as a command line parameter and it points to a local file.

• Do we support multiple CAs in Elastic Agents?
• Can we hot-swap the CA (is it reloaded by Elastic Agent) or it is reloaded only at startup?

Ideally, for updating the CA in Fleet Server without downtime:

• All the Elastic Agents enrolled to the Fleet Server should be updated to trust both the OLD CA and NEW CA. How?
• Fleet Server can be restarted, replacing the Fleet Server certificates and CA. How?

Ideally, for updating the CA in Elasticsearch without downtime:

• All the Elastic Agents enrolled to the Fleet Server should be updated to trust both the OLD CA and NEW CA. Elasticsearch certs are typically defined in the Fleet UI / Output settings (via reference to a file or embedded in the policy). How?
• Fleet Server should be also configured to trust both the OLD CA and NEW CA of Elasticsearch. How?
• Elasticsearch should be roll-restarted to update their CA. How to do it it is not in the scope of the guide.