elastic · elasticsearchmachine · Dec 15, 2021 · Dec 15, 2021
diff --git a/docs/reference/setup/install/connect-clients.asciidoc b/docs/reference/setup/install/connect-clients.asciidoc
@@ -0,0 +1,50 @@
+==== Connect clients to {es}
+
+When you start {es} for the first time, TLS is configured automatically for the 
+HTTP layer. A CA certificate is generated and stored on disk, and the hex-coded 
+SHA-256 fingerprint of this certificate is also output to the terminal. Any 
+clients that connect to {es}, such as the 
+https://www.elastic.co/guide/en/elasticsearch/client/index.html[{es} Clients],
+{beats}, {ls}, and {fleet} must validate that they trust the certificate that
+{es} uses for HTTPS. Clients can establish trust by using either the fingerprint
+of the CA certificate or the CA certificate itself.
+
+If the auto-configuration process already completed, you can still obtain the 
+fingerprint of the security certificate. You can also copy the CA certificate
+to your machine and configure your client to use it.
+
+[discrete]
+===== Use the CA fingerprint
+
+Copy the fingerprint value that's output to your terminal when {es} starts, and
+configure your client to use this fingerprint to establish trust when it
+connects to {es}.
+
+If the auto-configuration process already completed, you can still obtain the
+fingerprint of the security certificate by running the following command. The 
+path is to the auto-generated CA certificate for the HTTP layer.
+
+[source,sh]
+----
+openssl x509 -fingerprint -sha256 -in config/tls_auto_config_<timestamp>/http_ca.crt
+----
+
+`<timestamp>`:: The timestamp of when the auto-configuration process created the security files directory.
+
+The command returns the security certificate, including the fingerprint.
+The `issuer` should be `Elasticsearch security auto-configuration HTTP CA`.
+
+[source,sh]
+----
+issuer= /CN=Elasticsearch security auto-configuration HTTP CA
+SHA256 Fingerprint=<fingerprint>
+----
+
+[discrete]
+===== Use the CA certificate
+
+If your library doesn't support a method of validating the fingerprint, the 
+auto-generated CA certificate is created in the
+`config/tls_auto_config_<timestamp>` directory on each {es} node. Copy the
+`http_ca.crt` file to your machine and configure your client to use this
+certificate to establish trust when it connects to {es}.
diff --git a/docs/reference/setup/install/deb.asciidoc b/docs/reference/setup/install/deb.asciidoc
@@ -166,6 +166,8 @@ NOTE: Distributions that use `systemd` require that system resource limits be
 configured via `systemd` rather than via the `/etc/sysconfig/elasticsearch`
 file. See <<systemd>> for more information.
 
+include::connect-clients.asciidoc[]
+
 [[deb-layout]]
 ==== Directory layout of Debian package
 

diff --git a/docs/reference/setup/install/rpm.asciidoc b/docs/reference/setup/install/rpm.asciidoc
@@ -159,6 +159,8 @@ NOTE: Distributions that use `systemd` require that system resource limits be
 configured via `systemd` rather than via the `/etc/sysconfig/elasticsearch`
 file. See <<systemd>> for more information.
 
+include::connect-clients.asciidoc[]
+
 [[rpm-layout]]
 ==== Directory layout of RPM
 

diff --git a/docs/reference/setup/install/targz.asciidoc b/docs/reference/setup/install/targz.asciidoc
@@ -110,6 +110,8 @@ TIP: Typically, any cluster-wide settings (like `cluster.name`) should be
 added to the `elasticsearch.yml` config file, while any node-specific settings
 such as `node.name` could be specified on the command line.
 
+include::connect-clients.asciidoc[]
+
 [[targz-layout]]
 ==== Directory layout of archives
 

diff --git a/docs/reference/setup/install/windows.asciidoc b/docs/reference/setup/install/windows.asciidoc
@@ -434,6 +434,8 @@ for plugins not currently installed, to be downloaded and installed:
 [[msi-installer-upgrade-plugins]]
 image::images/msi_installer/msi_installer_upgrade_plugins.png[]
 
+include::connect-clients.asciidoc[]
+
 [[upgrade-msi-command-line]]
 ==== Upgrade using the command line
 

diff --git a/docs/reference/setup/install/zip-windows.asciidoc b/docs/reference/setup/install/zip-windows.asciidoc
@@ -256,6 +256,8 @@ It is also possible to configure the service after it's been installed using the
 
 Most changes (like JVM settings) made through the manager GUI will require a restart of the service to take affect.
 
+include::connect-clients.asciidoc[]
+
 [[windows-layout]]
 ==== Directory layout of `.zip` archive
 

diff --git a/x-pack/docs/en/security/configuring-stack-security.asciidoc b/x-pack/docs/en/security/configuring-stack-security.asciidoc
@@ -93,6 +93,9 @@ when you started {es}.
 
 include::enroll-nodes.asciidoc[]
 
+[discrete]
+include::{es-ref-dir}/setup/install/connect-clients.asciidoc[leveloffset=-1]
+
 [discrete]
 === What's next?
 Congratulations! You've successfully started the {stack} with security enabled.