# Get SSL certificates **GET /_ssl/certificates** Get information about the X.509 certificates that are used to encrypt communications in the cluster. The API returns a list that includes certificates from all TLS contexts including: - Settings for transport and HTTP interfaces - TLS settings that are used within authentication realms - TLS settings for remote monitoring exporters The list includes certificates that are used for configuring trust, such as those configured in the `xpack.security.transport.ssl.truststore` and `xpack.security.transport.ssl.certificate_authorities` settings. It also includes certificates that are used for configuring server identity, such as `xpack.security.http.ssl.keystore` and `xpack.security.http.ssl.certificate settings`. The list does not include certificates that are sourced from the default SSL context of the Java Runtime Environment (JRE), even if those certificates are in use within Elasticsearch. NOTE: When a PKCS#11 token is configured as the truststore of the JRE, the API returns all the certificates that are included in the PKCS#11 token irrespective of whether these are used in the Elasticsearch TLS configuration. If Elasticsearch is configured to use a keystore or truststore, the API output includes all certificates in that store, even though some of the certificates might not be in active use within the cluster. ## Required authorization * Cluster privileges: `monitor` [About setting up transport tls](https://www.elastic.co/docs/deploy-manage/security/set-up-basic-security#encrypt-internode-communication) ## Servers - http://api.example.com: http://api.example.com () ## Authentication methods - Api key auth - Basic auth - Bearer auth ## Parameters ## Responses ### 200 #### Body: application/json (array[object]) - **alias** (string | null) If the path refers to a container file (a jks keystore, or a PKCS#12 file), it is the alias of the certificate. Otherwise, it is null. - **expiry** (string | number) The ISO formatted date of the certificate's expiry (not-after) date. - **format** (string) The format of the file. Valid values include `jks`, `PKCS12`, and `PEM`. - **has_private_key** (boolean) Indicates whether Elasticsearch has access to the private key for this certificate. - **issuer** (string) The Distinguished Name of the certificate's issuer. - **path** (string) The path to the certificate, as configured in the `elasticsearch.yml` file. - **serial_number** (string) The hexadecimal representation of the certificate's serial number. - **subject_dn** (string) The Distinguished Name of the certificate's subject. [Powered by Bump.sh](https://bump.sh)