Disable demo certificates autogeneration

Is there a way to disable the autogeneration of demo certificates? When the service is installed (CentOS7) the demo certificates are added to /etc/elasticsearch. I am using different certificates and have set opendistro_security.allow_unsafe_democertificates: false in elasticsearch.yml, This results in elasticsearch not being able to start with the error demo certificates found.
Is there config option to disable the autogeneration?
Is it a security risk when opendistro_security.allow_unsafe_democertificates is left true?

Hi @dkalev, unfortunately, the security demo configuration script runs during install (rather than first startup), but the side effect is that you get a template for how things should ultimately look on a “production” installation.

We don’t recommend going to production with the demo certificates, but you can substitute your own in place of the existing ones, change the names and DNs in elasticsearch.yml, delete the opendistro_security.allow_unsafe_democertificates: true line, etc. The demo configuration doesn’t do anything irreversible. You can see what it’s up to here: security/install_demo_configuration.sh at main · opendistro-for-elasticsearch/security · GitHub

Hi @aetter, thanks for your reply. I am automating the deployment with Ansible and even though I am providing my own certificates and pointing to them in elasticsearch.yml, Elasticsearch was not able to start because it was founding the demo certificates besides the ones I have provided in /etc/elasticsearch. This is not a breaking issue as what I am doing now is just removing the demo ones, before providing mine, I just thought there might be a config option I have missed.