From 5135585f847bda0cdbfe2cfb912c045e1d06e554 Mon Sep 17 00:00:00 2001
From: Johannes Freden Jansson <johannes.freden@elastic.co>
Date: Mon, 10 Nov 2025 11:52:52 +0100
Subject: [PATCH 01/15] Add RCS Strong Verification Documentation

---
 .../remote-clusters.md                        | 73 ++++++++++++++++++-
 1 file changed, 72 insertions(+), 1 deletion(-)

diff --git a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
index 8f8244c72e5d8..a6c95a0903fe2 100644
--- a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
+++ b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
@@ -76,4 +76,75 @@ To use [proxy mode](docs-content://deploy-manage/remote-clusters/remote-clusters
 :   The number of socket connections to open per remote cluster. The default is `18`.
 
 `cluster.remote.<cluster_alias>.server_name`
-:   An optional hostname string which is sent in the `server_name` field of the TLS Server Name Indication extension if [TLS is enabled](docs-content://deploy-manage/security/secure-cluster-communications.md#encrypt-internode-communication). The TLS transport will fail to open remote connections if this field is not a valid hostname as defined by the TLS SNI specification.
\ No newline at end of file
+:   An optional hostname string which is sent in the `server_name` field of the TLS Server Name Indication extension if [TLS is enabled](docs-content://deploy-manage/security/secure-cluster-communications.md#encrypt-internode-communication). The TLS transport will fail to open remote connections if this field is not a valid hostname as defined by the TLS SNI specification.
+
+## Remote cluster strong verification settings [remote-cluster-signing-settings]
+preview::[]
+
+The following settings are used to sign and verify cross-cluster API key requests when using the [API key-based security model](docs-content://deploy-manage/remote-clusters/remote-clusters-api-key.md). These settings enable certificate-based signatures on cross-cluster requests to provide additional security by validating that requests originate from trusted clusters.
+
+### Signature verification settings [remote-cluster-signature-verification]
+
+The following global settings are used on the remote cluster to verify signatures from incoming cross-cluster requests. At least one of 
+`cluster.remote.signing.certificate_authorities` or `cluster.remote.signing.truststore.path` must be configured to enable signature verification.
+
+`cluster.remote.signing.certificate_authorities`
+:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) List of paths to PEM encoded certificate files that should be trusted when verifying signatures from cross-cluster requests. These certificates are used to establish trust with the signing certificates presented by querying clusters. You cannot use this setting and `cluster.remote.signing.truststore.path` at the same time.
+
+`cluster.remote.signing.truststore.path`
+:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path for the truststore that contains the certificates to trust when verifying signatures. It must be either a Java keystore (jks) or a PKCS#12 file. You cannot use this setting and `cluster.remote.signing.certificate_authorities` at the same time.
+
+`cluster.remote.signing.truststore.secure_password`
+:   ([Secure](docs-content://deploy-manage/security/secure-settings.md)) Password for the truststore specified by `cluster.remote.signing.truststore.path`.
+
+`cluster.remote.signing.truststore.algorithm`
+:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The algorithm for the truststore. Defaults to the default algorithm for the Java KeyManagerFactory.
+
+`cluster.remote.signing.truststore.type`
+:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The format of the truststore file. It must be either `jks` or `PKCS12`. If the file name ends in ".p12", ".pfx", or "pkcs12", the default is `PKCS12`. Otherwise, it defaults to `jks`.
+
+`cluster.remote.signing.diagnose.trust`
+:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) Controls whether to output diagnostic messages for signature verification trust failures. If this is `true` (the default), a message will be printed to the {{es}} log whenever a cross-cluster signature verification is rejected due to a failure to establish trust. This diagnostic message contains information that can be used to determine the cause of the failure and assist with resolving the problem. Set to `false` to disable these messages.
+
+
+### Request signing settings [remote-cluster-request-signing]
+
+The following per-cluster settings are used on the local cluster to sign outgoing cross-cluster requests. A private key and certificate 
+must be configured for each remote cluster that requires signature verification.
+
+
+### PEM encoded files [remote-cluster-signing-pem-files]
+
+When using PEM encoded files for signing, use the following settings:
+
+`cluster.remote.<cluster_alias>.signing.key`
+:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) Path to a PEM encoded file containing the private key used to sign cross-cluster requests to the remote cluster. You cannot use this setting and `cluster.remote.<cluster_alias>.signing.keystore.path` at the same time.
+
+`cluster.remote.<cluster_alias>.signing.key.secure_passphrase`
+:   ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The passphrase that is used to decrypt the private key specified by `cluster.remote.<cluster_alias>.signing.key`. Since the key might not be encrypted, this value is optional.
+
+`cluster.remote.<cluster_alias>.signing.certificate`
+:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) Specifies the path for the PEM encoded certificate (or certificate chain) that is associated with the signing key. This certificate is sent as part of the signature and must be trusted by the remote cluster's `cluster.remote.signing.certificate_authorities` or `cluster.remote.signing.truststore.path` configuration. This setting can be used only if `cluster.remote.<cluster_alias>.signing.key` is set.
+
+
+### Java keystore files [remote-cluster-signing-keystore-files]
+
+When using Java keystore files (JKS) for signing, which contain the private key and certificate, use the following settings:
+
+`cluster.remote.<cluster_alias>.signing.keystore.path`
+:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path for the keystore file that contains the private key and certificate used to sign cross-cluster requests. It must be either a Java keystore (jks) or a PKCS#12 file. You cannot use this setting and `cluster.remote.<cluster_alias>.signing.key` at the same time.
+
+`cluster.remote.<cluster_alias>.signing.keystore.type`
+:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The format of the keystore file. It must be either `jks` or `PKCS12`. If the keystore path ends in ".p12", ".pfx", or ".pkcs12", this setting defaults to `PKCS12`. Otherwise, it defaults to `jks`.
+
+`cluster.remote.<cluster_alias>.signing.keystore.alias`
+:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) Specifies the alias of the key within the keystore that should be used for signing cross-cluster requests. If the keystore contains more than one private key, this setting must be specified.
+
+`cluster.remote.<cluster_alias>.signing.keystore.secure_password`
+:   ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The password for the keystore specified by `cluster.remote.<cluster_alias>.signing.keystore.path`.
+
+`cluster.remote.<cluster_alias>.signing.keystore.secure_key_password`
+:   ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The password for the key in the keystore specified by `cluster.remote.<cluster_alias>.signing.keystore.path`. Defaults to the keystore password.
+
+`cluster.remote.<cluster_alias>.signing.keystore.algorithm`
+:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The algorithm for the keystore. Defaults to the default algorithm for the Java KeyManagerFactory.

From 5001d43648aeacb2836e2334ba7afe47b1267add Mon Sep 17 00:00:00 2001
From: Johannes Freden Jansson <johannes.freden@elastic.co>
Date: Mon, 10 Nov 2025 14:53:07 +0100
Subject: [PATCH 02/15] fixup! Tech preview disclaimer

---
 .../elasticsearch/configuration-reference/remote-clusters.md  | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
index a6c95a0903fe2..f43f07aff8c17 100644
--- a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
+++ b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
@@ -79,7 +79,9 @@ To use [proxy mode](docs-content://deploy-manage/remote-clusters/remote-clusters
 :   An optional hostname string which is sent in the `server_name` field of the TLS Server Name Indication extension if [TLS is enabled](docs-content://deploy-manage/security/secure-cluster-communications.md#encrypt-internode-communication). The TLS transport will fail to open remote connections if this field is not a valid hostname as defined by the TLS SNI specification.
 
 ## Remote cluster strong verification settings [remote-cluster-signing-settings]
-preview::[]
+::::{warning}
+This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
+::::
 
 The following settings are used to sign and verify cross-cluster API key requests when using the [API key-based security model](docs-content://deploy-manage/remote-clusters/remote-clusters-api-key.md). These settings enable certificate-based signatures on cross-cluster requests to provide additional security by validating that requests originate from trusted clusters.
 

From bf7ce5ead458674ff10d884621854d24611c7d1c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Johannes=20Fred=C3=A9n?=
 <109296772+jfreden@users.noreply.github.com>
Date: Tue, 11 Nov 2025 16:15:39 +0100
Subject: [PATCH 03/15] Update
 docs/reference/elasticsearch/configuration-reference/remote-clusters.md

Co-authored-by: shainaraskas <58563081+shainaraskas@users.noreply.github.com>
---
 .../configuration-reference/remote-clusters.md             | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
index f43f07aff8c17..3d5f2e3564d3a 100644
--- a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
+++ b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
@@ -79,9 +79,10 @@ To use [proxy mode](docs-content://deploy-manage/remote-clusters/remote-clusters
 :   An optional hostname string which is sent in the `server_name` field of the TLS Server Name Indication extension if [TLS is enabled](docs-content://deploy-manage/security/secure-cluster-communications.md#encrypt-internode-communication). The TLS transport will fail to open remote connections if this field is not a valid hostname as defined by the TLS SNI specification.
 
 ## Remote cluster strong verification settings [remote-cluster-signing-settings]
-::::{warning}
-This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
-::::
+```{applies_to}
+deployment:
+  self: preview 9.3
+```
 
 The following settings are used to sign and verify cross-cluster API key requests when using the [API key-based security model](docs-content://deploy-manage/remote-clusters/remote-clusters-api-key.md). These settings enable certificate-based signatures on cross-cluster requests to provide additional security by validating that requests originate from trusted clusters.
 

From a06c9ac5667d297afb32cf2679515b0d22aa3b93 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Johannes=20Fred=C3=A9n?=
 <109296772+jfreden@users.noreply.github.com>
Date: Tue, 11 Nov 2025 16:16:24 +0100
Subject: [PATCH 04/15] Update
 docs/reference/elasticsearch/configuration-reference/remote-clusters.md

Co-authored-by: shainaraskas <58563081+shainaraskas@users.noreply.github.com>
---
 .../elasticsearch/configuration-reference/remote-clusters.md    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
index 3d5f2e3564d3a..439601cb8d6d1 100644
--- a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
+++ b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
@@ -98,7 +98,7 @@ The following global settings are used on the remote cluster to verify signature
 :   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path for the truststore that contains the certificates to trust when verifying signatures. It must be either a Java keystore (jks) or a PKCS#12 file. You cannot use this setting and `cluster.remote.signing.certificate_authorities` at the same time.
 
 `cluster.remote.signing.truststore.secure_password`
-:   ([Secure](docs-content://deploy-manage/security/secure-settings.md)) Password for the truststore specified by `cluster.remote.signing.truststore.path`.
+:   ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The password for the truststore specified by `cluster.remote.signing.truststore.path`.
 
 `cluster.remote.signing.truststore.algorithm`
 :   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The algorithm for the truststore. Defaults to the default algorithm for the Java KeyManagerFactory.

From c2ecc549b342b63193d8c32fdb628852a4e3e0ab Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Johannes=20Fred=C3=A9n?=
 <109296772+jfreden@users.noreply.github.com>
Date: Tue, 11 Nov 2025 16:16:51 +0100
Subject: [PATCH 05/15] Update
 docs/reference/elasticsearch/configuration-reference/remote-clusters.md

Co-authored-by: shainaraskas <58563081+shainaraskas@users.noreply.github.com>
---
 .../elasticsearch/configuration-reference/remote-clusters.md    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
index 439601cb8d6d1..a1e5af0afff9e 100644
--- a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
+++ b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
@@ -141,7 +141,7 @@ When using Java keystore files (JKS) for signing, which contain the private key
 :   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The format of the keystore file. It must be either `jks` or `PKCS12`. If the keystore path ends in ".p12", ".pfx", or ".pkcs12", this setting defaults to `PKCS12`. Otherwise, it defaults to `jks`.
 
 `cluster.remote.<cluster_alias>.signing.keystore.alias`
-:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) Specifies the alias of the key within the keystore that should be used for signing cross-cluster requests. If the keystore contains more than one private key, this setting must be specified.
+:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The alias of the key within the keystore that should be used for signing cross-cluster requests. If the keystore contains more than one private key, this setting must be specified.
 
 `cluster.remote.<cluster_alias>.signing.keystore.secure_password`
 :   ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The password for the keystore specified by `cluster.remote.<cluster_alias>.signing.keystore.path`.

From 0ba92321438f83546037534e53d890c6e6ac4e4b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Johannes=20Fred=C3=A9n?=
 <109296772+jfreden@users.noreply.github.com>
Date: Tue, 11 Nov 2025 16:17:01 +0100
Subject: [PATCH 06/15] Update
 docs/reference/elasticsearch/configuration-reference/remote-clusters.md

Co-authored-by: shainaraskas <58563081+shainaraskas@users.noreply.github.com>
---
 .../elasticsearch/configuration-reference/remote-clusters.md    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
index a1e5af0afff9e..9b2c8b01d84df 100644
--- a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
+++ b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
@@ -127,7 +127,7 @@ When using PEM encoded files for signing, use the following settings:
 :   ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The passphrase that is used to decrypt the private key specified by `cluster.remote.<cluster_alias>.signing.key`. Since the key might not be encrypted, this value is optional.
 
 `cluster.remote.<cluster_alias>.signing.certificate`
-:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) Specifies the path for the PEM encoded certificate (or certificate chain) that is associated with the signing key. This certificate is sent as part of the signature and must be trusted by the remote cluster's `cluster.remote.signing.certificate_authorities` or `cluster.remote.signing.truststore.path` configuration. This setting can be used only if `cluster.remote.<cluster_alias>.signing.key` is set.
+:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path for the PEM encoded certificate (or certificate chain) that is associated with the signing key. This certificate is sent as part of the signature and must be trusted by the remote cluster's `cluster.remote.signing.certificate_authorities` or `cluster.remote.signing.truststore.path` configuration. This setting can be used only if `cluster.remote.<cluster_alias>.signing.key` is set.
 
 
 ### Java keystore files [remote-cluster-signing-keystore-files]

From 58eb89852f918a617ce505b0bdd4f6143b38e623 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Johannes=20Fred=C3=A9n?=
 <109296772+jfreden@users.noreply.github.com>
Date: Tue, 11 Nov 2025 16:17:16 +0100
Subject: [PATCH 07/15] Update
 docs/reference/elasticsearch/configuration-reference/remote-clusters.md

Co-authored-by: shainaraskas <58563081+shainaraskas@users.noreply.github.com>
---
 .../elasticsearch/configuration-reference/remote-clusters.md    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
index 9b2c8b01d84df..ddfe7ef69e282 100644
--- a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
+++ b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
@@ -124,7 +124,7 @@ When using PEM encoded files for signing, use the following settings:
 :   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) Path to a PEM encoded file containing the private key used to sign cross-cluster requests to the remote cluster. You cannot use this setting and `cluster.remote.<cluster_alias>.signing.keystore.path` at the same time.
 
 `cluster.remote.<cluster_alias>.signing.key.secure_passphrase`
-:   ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The passphrase that is used to decrypt the private key specified by `cluster.remote.<cluster_alias>.signing.key`. Since the key might not be encrypted, this value is optional.
+:   ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The passphrase that is used to decrypt the private key specified by `cluster.remote.<cluster_alias>.signing.key`. Because the key might not be encrypted, this value is optional.
 
 `cluster.remote.<cluster_alias>.signing.certificate`
 :   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path for the PEM encoded certificate (or certificate chain) that is associated with the signing key. This certificate is sent as part of the signature and must be trusted by the remote cluster's `cluster.remote.signing.certificate_authorities` or `cluster.remote.signing.truststore.path` configuration. This setting can be used only if `cluster.remote.<cluster_alias>.signing.key` is set.

From 6714ac317638726167396201cdcfad609d5b7321 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Johannes=20Fred=C3=A9n?=
 <109296772+jfreden@users.noreply.github.com>
Date: Tue, 11 Nov 2025 16:46:53 +0100
Subject: [PATCH 08/15] Update
 docs/reference/elasticsearch/configuration-reference/remote-clusters.md

Co-authored-by: shainaraskas <58563081+shainaraskas@users.noreply.github.com>
---
 .../elasticsearch/configuration-reference/remote-clusters.md    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
index ddfe7ef69e282..64acf1c312866 100644
--- a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
+++ b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
@@ -121,7 +121,7 @@ must be configured for each remote cluster that requires signature verification.
 When using PEM encoded files for signing, use the following settings:
 
 `cluster.remote.<cluster_alias>.signing.key`
-:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) Path to a PEM encoded file containing the private key used to sign cross-cluster requests to the remote cluster. You cannot use this setting and `cluster.remote.<cluster_alias>.signing.keystore.path` at the same time.
+:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path to a PEM encoded file containing the private key used to sign cross-cluster requests to the remote cluster. You cannot use this setting and `cluster.remote.<cluster_alias>.signing.keystore.path` at the same time.
 
 `cluster.remote.<cluster_alias>.signing.key.secure_passphrase`
 :   ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The passphrase that is used to decrypt the private key specified by `cluster.remote.<cluster_alias>.signing.key`. Because the key might not be encrypted, this value is optional.

From b1ca094d5c36d625245f413386abdc0433bf6998 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Johannes=20Fred=C3=A9n?=
 <109296772+jfreden@users.noreply.github.com>
Date: Tue, 11 Nov 2025 16:48:11 +0100
Subject: [PATCH 09/15] Update
 docs/reference/elasticsearch/configuration-reference/remote-clusters.md

Co-authored-by: shainaraskas <58563081+shainaraskas@users.noreply.github.com>
---
 .../elasticsearch/configuration-reference/remote-clusters.md    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
index 64acf1c312866..5a52e3b7dd90f 100644
--- a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
+++ b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
@@ -84,7 +84,7 @@ deployment:
   self: preview 9.3
 ```
 
-The following settings are used to sign and verify cross-cluster API key requests when using the [API key-based security model](docs-content://deploy-manage/remote-clusters/remote-clusters-api-key.md). These settings enable certificate-based signatures on cross-cluster requests to provide additional security by validating that requests originate from trusted clusters.
+The following settings are used to sign and verify cross-cluster API key requests when using the [API key-based security model](docs-content://deploy-manage/remote-clusters/security-models.md#api-key). These settings enable certificate-based signatures on cross-cluster requests to provide additional security by validating that requests originate from trusted clusters.
 
 ### Signature verification settings [remote-cluster-signature-verification]
 

From c56f2fb43500752fc678362c0af7469894d41d70 Mon Sep 17 00:00:00 2001
From: Johannes Freden Jansson <johannes.freden@elastic.co>
Date: Tue, 11 Nov 2025 16:48:41 +0100
Subject: [PATCH 10/15] fixup! Code review comments

---
 .../elasticsearch/configuration-reference/remote-clusters.md   | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
index 5a52e3b7dd90f..875bdcebb217f 100644
--- a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
+++ b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
@@ -101,7 +101,8 @@ The following global settings are used on the remote cluster to verify signature
 :   ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The password for the truststore specified by `cluster.remote.signing.truststore.path`.
 
 `cluster.remote.signing.truststore.algorithm`
-:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The algorithm for the truststore. Defaults to the default algorithm for the Java KeyManagerFactory.
+:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The algorithm for the truststore. Defaults to 
+`SunX509`.
 
 `cluster.remote.signing.truststore.type`
 :   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The format of the truststore file. It must be either `jks` or `PKCS12`. If the file name ends in ".p12", ".pfx", or "pkcs12", the default is `PKCS12`. Otherwise, it defaults to `jks`.

From 1aaba2b8a7290c3d30a29de67e92eafd2020d1b6 Mon Sep 17 00:00:00 2001
From: Johannes Freden Jansson <johannes.freden@elastic.co>
Date: Tue, 11 Nov 2025 16:53:17 +0100
Subject: [PATCH 11/15] fixup! Code review comments

---
 .../elasticsearch/configuration-reference/remote-clusters.md  | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
index 875bdcebb217f..cfe3dfe4cb05e 100644
--- a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
+++ b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
@@ -113,8 +113,8 @@ The following global settings are used on the remote cluster to verify signature
 
 ### Request signing settings [remote-cluster-request-signing]
 
-The following per-cluster settings are used on the local cluster to sign outgoing cross-cluster requests. A private key and certificate 
-must be configured for each remote cluster that requires signature verification.
+The following per-cluster settings are used on the local cluster to sign outgoing cross-cluster requests per-cluster alias. A 
+private key and certificate must be configured for each remote cluster that requires signature verification.
 
 
 ### PEM encoded files [remote-cluster-signing-pem-files]

From 58b56b0af0f7576a0c324bbe331290d2ea73b793 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Johannes=20Fred=C3=A9n?=
 <109296772+jfreden@users.noreply.github.com>
Date: Thu, 13 Nov 2025 13:24:54 +0100
Subject: [PATCH 12/15] Update
 docs/reference/elasticsearch/configuration-reference/remote-clusters.md
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Edu González de la Herrán <25320357+eedugon@users.noreply.github.com>
---
 .../elasticsearch/configuration-reference/remote-clusters.md   | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
index cfe3dfe4cb05e..6577766260f6a 100644
--- a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
+++ b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
@@ -113,8 +113,7 @@ The following global settings are used on the remote cluster to verify signature
 
 ### Request signing settings [remote-cluster-request-signing]
 
-The following per-cluster settings are used on the local cluster to sign outgoing cross-cluster requests per-cluster alias. A 
-private key and certificate must be configured for each remote cluster that requires signature verification.
+The following per-cluster settings are used on the local cluster to sign outgoing cross-cluster requests per-cluster alias. A private key and certificate must be configured for each remote cluster that requires signing requests.
 
 
 ### PEM encoded files [remote-cluster-signing-pem-files]

From a2bb187e982220adbd4bed4f30c5f9250451dd52 Mon Sep 17 00:00:00 2001
From: Johannes Freden Jansson <johannes.freden@elastic.co>
Date: Thu, 13 Nov 2025 13:38:19 +0100
Subject: [PATCH 13/15] fixup! Code review

---
 .../remote-clusters.md                        | 55 ++++++++++++-------
 1 file changed, 35 insertions(+), 20 deletions(-)

diff --git a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
index 6577766260f6a..b044d7ba7e67f 100644
--- a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
+++ b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
@@ -78,36 +78,42 @@ To use [proxy mode](docs-content://deploy-manage/remote-clusters/remote-clusters
 `cluster.remote.<cluster_alias>.server_name`
 :   An optional hostname string which is sent in the `server_name` field of the TLS Server Name Indication extension if [TLS is enabled](docs-content://deploy-manage/security/secure-cluster-communications.md#encrypt-internode-communication). The TLS transport will fail to open remote connections if this field is not a valid hostname as defined by the TLS SNI specification.
 
-## Remote cluster strong verification settings [remote-cluster-signing-settings]
+## Remote cluster strong identity verification settings [remote-cluster-signing-settings]
 ```{applies_to}
 deployment:
-  self: preview 9.3
+  stack: preview 9.3
 ```
 
 The following settings are used to sign and verify cross-cluster API key requests when using the [API key-based security model](docs-content://deploy-manage/remote-clusters/security-models.md#api-key). These settings enable certificate-based signatures on cross-cluster requests to provide additional security by validating that requests originate from trusted clusters.
 
-### Signature verification settings [remote-cluster-signature-verification]
+### Strong identity verification settings [remote-cluster-signature-verification]
 
 The following global settings are used on the remote cluster to verify signatures from incoming cross-cluster requests. At least one of 
 `cluster.remote.signing.certificate_authorities` or `cluster.remote.signing.truststore.path` must be configured to enable signature verification.
 
-`cluster.remote.signing.certificate_authorities`
+`cluster.remote.signing.certificate_authorities` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on 
+Elastic Cloud Hosted")
 :   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) List of paths to PEM encoded certificate files that should be trusted when verifying signatures from cross-cluster requests. These certificates are used to establish trust with the signing certificates presented by querying clusters. You cannot use this setting and `cluster.remote.signing.truststore.path` at the same time.
 
-`cluster.remote.signing.truststore.path`
+`cluster.remote.signing.truststore.path` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on
+Elastic Cloud Hosted")
 :   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path for the truststore that contains the certificates to trust when verifying signatures. It must be either a Java keystore (jks) or a PKCS#12 file. You cannot use this setting and `cluster.remote.signing.certificate_authorities` at the same time.
 
-`cluster.remote.signing.truststore.secure_password`
+`cluster.remote.signing.truststore.secure_password` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on
+Elastic Cloud Hosted")
 :   ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The password for the truststore specified by `cluster.remote.signing.truststore.path`.
 
-`cluster.remote.signing.truststore.algorithm`
+`cluster.remote.signing.truststore.algorithm` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on
+Elastic Cloud Hosted")
 :   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The algorithm for the truststore. Defaults to 
 `SunX509`.
 
-`cluster.remote.signing.truststore.type`
+`cluster.remote.signing.truststore.type` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on
+Elastic Cloud Hosted")
 :   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The format of the truststore file. It must be either `jks` or `PKCS12`. If the file name ends in ".p12", ".pfx", or "pkcs12", the default is `PKCS12`. Otherwise, it defaults to `jks`.
 
-`cluster.remote.signing.diagnose.trust`
+`cluster.remote.signing.diagnose.trust` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on
+Elastic Cloud Hosted")
 :   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) Controls whether to output diagnostic messages for signature verification trust failures. If this is `true` (the default), a message will be printed to the {{es}} log whenever a cross-cluster signature verification is rejected due to a failure to establish trust. This diagnostic message contains information that can be used to determine the cause of the failure and assist with resolving the problem. Set to `false` to disable these messages.
 
 
@@ -116,38 +122,47 @@ The following global settings are used on the remote cluster to verify signature
 The following per-cluster settings are used on the local cluster to sign outgoing cross-cluster requests per-cluster alias. A private key and certificate must be configured for each remote cluster that requires signing requests.
 
 
-### PEM encoded files [remote-cluster-signing-pem-files]
+#### PEM encoded files [remote-cluster-signing-pem-files]
 
 When using PEM encoded files for signing, use the following settings:
 
-`cluster.remote.<cluster_alias>.signing.key`
+`cluster.remote.<cluster_alias>.signing.key` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on
+Elastic Cloud Hosted")
 :   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path to a PEM encoded file containing the private key used to sign cross-cluster requests to the remote cluster. You cannot use this setting and `cluster.remote.<cluster_alias>.signing.keystore.path` at the same time.
 
-`cluster.remote.<cluster_alias>.signing.key.secure_passphrase`
+`cluster.remote.<cluster_alias>.signing.key.secure_passphrase` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on
+Elastic Cloud Hosted")
 :   ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The passphrase that is used to decrypt the private key specified by `cluster.remote.<cluster_alias>.signing.key`. Because the key might not be encrypted, this value is optional.
 
-`cluster.remote.<cluster_alias>.signing.certificate`
+`cluster.remote.<cluster_alias>.signing.certificate` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on
+Elastic Cloud Hosted")
 :   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path for the PEM encoded certificate (or certificate chain) that is associated with the signing key. This certificate is sent as part of the signature and must be trusted by the remote cluster's `cluster.remote.signing.certificate_authorities` or `cluster.remote.signing.truststore.path` configuration. This setting can be used only if `cluster.remote.<cluster_alias>.signing.key` is set.
 
 
-### Java keystore files [remote-cluster-signing-keystore-files]
+#### Java keystore files [remote-cluster-signing-keystore-files]
 
 When using Java keystore files (JKS) for signing, which contain the private key and certificate, use the following settings:
 
-`cluster.remote.<cluster_alias>.signing.keystore.path`
+`cluster.remote.<cluster_alias>.signing.keystore.path` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on
+Elastic Cloud Hosted")
 :   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path for the keystore file that contains the private key and certificate used to sign cross-cluster requests. It must be either a Java keystore (jks) or a PKCS#12 file. You cannot use this setting and `cluster.remote.<cluster_alias>.signing.key` at the same time.
 
-`cluster.remote.<cluster_alias>.signing.keystore.type`
+`cluster.remote.<cluster_alias>.signing.keystore.type` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on
+Elastic Cloud Hosted")
 :   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The format of the keystore file. It must be either `jks` or `PKCS12`. If the keystore path ends in ".p12", ".pfx", or ".pkcs12", this setting defaults to `PKCS12`. Otherwise, it defaults to `jks`.
 
-`cluster.remote.<cluster_alias>.signing.keystore.alias`
+`cluster.remote.<cluster_alias>.signing.keystore.alias` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on
+Elastic Cloud Hosted")
 :   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The alias of the key within the keystore that should be used for signing cross-cluster requests. If the keystore contains more than one private key, this setting must be specified.
 
-`cluster.remote.<cluster_alias>.signing.keystore.secure_password`
+`cluster.remote.<cluster_alias>.signing.keystore.secure_password` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on
+Elastic Cloud Hosted")
 :   ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The password for the keystore specified by `cluster.remote.<cluster_alias>.signing.keystore.path`.
 
-`cluster.remote.<cluster_alias>.signing.keystore.secure_key_password`
+`cluster.remote.<cluster_alias>.signing.keystore.secure_key_password` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on
+Elastic Cloud Hosted")
 :   ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The password for the key in the keystore specified by `cluster.remote.<cluster_alias>.signing.keystore.path`. Defaults to the keystore password.
 
-`cluster.remote.<cluster_alias>.signing.keystore.algorithm`
+`cluster.remote.<cluster_alias>.signing.keystore.algorithm` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on
+Elastic Cloud Hosted")
 :   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The algorithm for the keystore. Defaults to the default algorithm for the Java KeyManagerFactory.

From cf60476d50beb41c0926592bb2f3cba173a5b99a Mon Sep 17 00:00:00 2001
From: Johannes Freden Jansson <johannes.freden@elastic.co>
Date: Thu, 13 Nov 2025 13:58:58 +0100
Subject: [PATCH 14/15] fixup! Syntax

---
 .../remote-clusters.md                        | 77 ++++++++-----------
 1 file changed, 31 insertions(+), 46 deletions(-)

diff --git a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
index b044d7ba7e67f..a34ab66d847cd 100644
--- a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
+++ b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
@@ -91,30 +91,24 @@ The following settings are used to sign and verify cross-cluster API key request
 The following global settings are used on the remote cluster to verify signatures from incoming cross-cluster requests. At least one of 
 `cluster.remote.signing.certificate_authorities` or `cluster.remote.signing.truststore.path` must be configured to enable signature verification.
 
-`cluster.remote.signing.certificate_authorities` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on 
-Elastic Cloud Hosted")
-:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) List of paths to PEM encoded certificate files that should be trusted when verifying signatures from cross-cluster requests. These certificates are used to establish trust with the signing certificates presented by querying clusters. You cannot use this setting and `cluster.remote.signing.truststore.path` at the same time.
+`cluster.remote.signing.certificate_authorities` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported onElastic Cloud Hosted")
+: ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) List of paths to PEM encoded certificate files that should be trusted when verifying signatures from cross-cluster requests. These certificates are used to establish trust with the signing certificates presented by querying clusters. You cannot use this setting and `cluster.remote.signing.truststore.path` at 
+the same time.
 
-`cluster.remote.signing.truststore.path` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on
-Elastic Cloud Hosted")
-:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path for the truststore that contains the certificates to trust when verifying signatures. It must be either a Java keystore (jks) or a PKCS#12 file. You cannot use this setting and `cluster.remote.signing.certificate_authorities` at the same time.
+`cluster.remote.signing.truststore.path` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported onElastic Cloud Hosted")
+: ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path for the truststore that contains the certificates to trust when verifying signatures. It must be either a Java keystore (jks) or a PKCS#12 file. You cannot use this setting and `cluster.remote.signing.certificate_authorities` at the same time.
 
-`cluster.remote.signing.truststore.secure_password` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on
-Elastic Cloud Hosted")
-:   ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The password for the truststore specified by `cluster.remote.signing.truststore.path`.
+`cluster.remote.signing.truststore.secure_password` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
+: ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The password for the truststore specified by `cluster.remote.signing.truststore.path`.
 
-`cluster.remote.signing.truststore.algorithm` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on
-Elastic Cloud Hosted")
-:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The algorithm for the truststore. Defaults to 
-`SunX509`.
+`cluster.remote.signing.truststore.algorithm` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
+: ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The algorithm for the truststore. Defaults to `SunX509`.
 
-`cluster.remote.signing.truststore.type` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on
-Elastic Cloud Hosted")
-:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The format of the truststore file. It must be either `jks` or `PKCS12`. If the file name ends in ".p12", ".pfx", or "pkcs12", the default is `PKCS12`. Otherwise, it defaults to `jks`.
+`cluster.remote.signing.truststore.type` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
+: ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The format of the truststore file. It must be either `jks` or `PKCS12`. If the file name ends in ".p12", ".pfx", or "pkcs12", the default is `PKCS12`. Otherwise, it defaults to `jks`.
 
-`cluster.remote.signing.diagnose.trust` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on
-Elastic Cloud Hosted")
-:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) Controls whether to output diagnostic messages for signature verification trust failures. If this is `true` (the default), a message will be printed to the {{es}} log whenever a cross-cluster signature verification is rejected due to a failure to establish trust. This diagnostic message contains information that can be used to determine the cause of the failure and assist with resolving the problem. Set to `false` to disable these messages.
+`cluster.remote.signing.diagnose.trust` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
+: ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) Controls whether to output diagnostic messages for signature verification trust failures. If this is `true` (the default), a message will be printed to the {{es}} log whenever a cross-cluster signature verification is rejected due to a failure to establish trust. This diagnostic message contains information that can be used to determine the cause of the failure and assist with resolving the problem. Set to `false` to disable these messages.
 
 
 ### Request signing settings [remote-cluster-request-signing]
@@ -126,43 +120,34 @@ The following per-cluster settings are used on the local cluster to sign outgoin
 
 When using PEM encoded files for signing, use the following settings:
 
-`cluster.remote.<cluster_alias>.signing.key` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on
-Elastic Cloud Hosted")
-:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path to a PEM encoded file containing the private key used to sign cross-cluster requests to the remote cluster. You cannot use this setting and `cluster.remote.<cluster_alias>.signing.keystore.path` at the same time.
+`cluster.remote.<cluster_alias>.signing.key` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
+: ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path to a PEM encoded file containing the private key used to sign cross-cluster requests to the remote cluster. You cannot use this setting and `cluster.remote.<cluster_alias>.signing.keystore.path` at the same time.
 
-`cluster.remote.<cluster_alias>.signing.key.secure_passphrase` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on
-Elastic Cloud Hosted")
-:   ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The passphrase that is used to decrypt the private key specified by `cluster.remote.<cluster_alias>.signing.key`. Because the key might not be encrypted, this value is optional.
+`cluster.remote.<cluster_alias>.signing.key.secure_passphrase` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
+: ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The passphrase that is used to decrypt the private key specified by `cluster.remote.<cluster_alias>.signing.key`. Because the key might not be encrypted, this value is optional.
 
-`cluster.remote.<cluster_alias>.signing.certificate` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on
-Elastic Cloud Hosted")
-:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path for the PEM encoded certificate (or certificate chain) that is associated with the signing key. This certificate is sent as part of the signature and must be trusted by the remote cluster's `cluster.remote.signing.certificate_authorities` or `cluster.remote.signing.truststore.path` configuration. This setting can be used only if `cluster.remote.<cluster_alias>.signing.key` is set.
+`cluster.remote.<cluster_alias>.signing.certificate` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
+: ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path for the PEM encoded certificate (or certificate chain) that is associated with the signing key. This certificate is sent as part of the signature and must be trusted by the remote cluster's `cluster.remote.signing.certificate_authorities` or `cluster.remote.signing.truststore.path` configuration. This setting can be used only if `cluster.remote.<cluster_alias>.signing.key` is set.
 
 
 #### Java keystore files [remote-cluster-signing-keystore-files]
 
 When using Java keystore files (JKS) for signing, which contain the private key and certificate, use the following settings:
 
-`cluster.remote.<cluster_alias>.signing.keystore.path` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on
-Elastic Cloud Hosted")
-:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path for the keystore file that contains the private key and certificate used to sign cross-cluster requests. It must be either a Java keystore (jks) or a PKCS#12 file. You cannot use this setting and `cluster.remote.<cluster_alias>.signing.key` at the same time.
+`cluster.remote.<cluster_alias>.signing.keystore.path` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
+: ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path for the keystore file that contains the private key and certificate used to sign cross-cluster requests. It must be either a Java keystore (jks) or a PKCS#12 file. You cannot use this setting and `cluster.remote.<cluster_alias>.signing.key` at the same time.
 
-`cluster.remote.<cluster_alias>.signing.keystore.type` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on
-Elastic Cloud Hosted")
-:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The format of the keystore file. It must be either `jks` or `PKCS12`. If the keystore path ends in ".p12", ".pfx", or ".pkcs12", this setting defaults to `PKCS12`. Otherwise, it defaults to `jks`.
+`cluster.remote.<cluster_alias>.signing.keystore.type` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported onElastic Cloud Hosted")
+: ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The format of the keystore file. It must be either `jks` or `PKCS12`. If the keystore path ends in ".p12", ".pfx", or ".pkcs12", this setting defaults to `PKCS12`. Otherwise, it defaults to `jks`.
 
-`cluster.remote.<cluster_alias>.signing.keystore.alias` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on
-Elastic Cloud Hosted")
-:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The alias of the key within the keystore that should be used for signing cross-cluster requests. If the keystore contains more than one private key, this setting must be specified.
+`cluster.remote.<cluster_alias>.signing.keystore.alias` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
+: ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The alias of the key within the keystore that should be used for signing cross-cluster requests. If the keystore contains more than one private key, this setting must be specified.
 
-`cluster.remote.<cluster_alias>.signing.keystore.secure_password` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on
-Elastic Cloud Hosted")
-:   ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The password for the keystore specified by `cluster.remote.<cluster_alias>.signing.keystore.path`.
+`cluster.remote.<cluster_alias>.signing.keystore.secure_password` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
+: ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The password for the keystore specified by `cluster.remote.<cluster_alias>.signing.keystore.path`.
 
-`cluster.remote.<cluster_alias>.signing.keystore.secure_key_password` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on
-Elastic Cloud Hosted")
-:   ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The password for the key in the keystore specified by `cluster.remote.<cluster_alias>.signing.keystore.path`. Defaults to the keystore password.
+`cluster.remote.<cluster_alias>.signing.keystore.secure_key_password` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
+: ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The password for the key in the keystore specified by `cluster.remote.<cluster_alias>.signing.keystore.path`. Defaults to the keystore password.
 
-`cluster.remote.<cluster_alias>.signing.keystore.algorithm` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on
-Elastic Cloud Hosted")
-:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The algorithm for the keystore. Defaults to the default algorithm for the Java KeyManagerFactory.
+`cluster.remote.<cluster_alias>.signing.keystore.algorithm` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
+: ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The algorithm for the keystore. Defaults to the default algorithm for the Java KeyManagerFactory.

From a04d9dad50e6f417b77f55b1783c50441df9f4d8 Mon Sep 17 00:00:00 2001
From: Johannes Freden Jansson <johannes.freden@elastic.co>
Date: Thu, 13 Nov 2025 14:03:55 +0100
Subject: [PATCH 15/15] fixup! Syntax

---
 .../remote-clusters.md                        | 30 +++++++++----------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
index a34ab66d847cd..b7e1b9b630d06 100644
--- a/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
+++ b/docs/reference/elasticsearch/configuration-reference/remote-clusters.md
@@ -92,23 +92,23 @@ The following global settings are used on the remote cluster to verify signature
 `cluster.remote.signing.certificate_authorities` or `cluster.remote.signing.truststore.path` must be configured to enable signature verification.
 
 `cluster.remote.signing.certificate_authorities` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported onElastic Cloud Hosted")
-: ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) List of paths to PEM encoded certificate files that should be trusted when verifying signatures from cross-cluster requests. These certificates are used to establish trust with the signing certificates presented by querying clusters. You cannot use this setting and `cluster.remote.signing.truststore.path` at 
+:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) List of paths to PEM encoded certificate files that should be trusted when verifying signatures from cross-cluster requests. These certificates are used to establish trust with the signing certificates presented by querying clusters. You cannot use this setting and `cluster.remote.signing.truststore.path` at 
 the same time.
 
 `cluster.remote.signing.truststore.path` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported onElastic Cloud Hosted")
-: ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path for the truststore that contains the certificates to trust when verifying signatures. It must be either a Java keystore (jks) or a PKCS#12 file. You cannot use this setting and `cluster.remote.signing.certificate_authorities` at the same time.
+:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path for the truststore that contains the certificates to trust when verifying signatures. It must be either a Java keystore (jks) or a PKCS#12 file. You cannot use this setting and `cluster.remote.signing.certificate_authorities` at the same time.
 
 `cluster.remote.signing.truststore.secure_password` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
-: ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The password for the truststore specified by `cluster.remote.signing.truststore.path`.
+:   ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The password for the truststore specified by `cluster.remote.signing.truststore.path`.
 
 `cluster.remote.signing.truststore.algorithm` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
-: ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The algorithm for the truststore. Defaults to `SunX509`.
+:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The algorithm for the truststore. Defaults to `SunX509`.
 
 `cluster.remote.signing.truststore.type` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
-: ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The format of the truststore file. It must be either `jks` or `PKCS12`. If the file name ends in ".p12", ".pfx", or "pkcs12", the default is `PKCS12`. Otherwise, it defaults to `jks`.
+:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The format of the truststore file. It must be either `jks` or `PKCS12`. If the file name ends in ".p12", ".pfx", or "pkcs12", the default is `PKCS12`. Otherwise, it defaults to `jks`.
 
 `cluster.remote.signing.diagnose.trust` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
-: ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) Controls whether to output diagnostic messages for signature verification trust failures. If this is `true` (the default), a message will be printed to the {{es}} log whenever a cross-cluster signature verification is rejected due to a failure to establish trust. This diagnostic message contains information that can be used to determine the cause of the failure and assist with resolving the problem. Set to `false` to disable these messages.
+:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) Controls whether to output diagnostic messages for signature verification trust failures. If this is `true` (the default), a message will be printed to the {{es}} log whenever a cross-cluster signature verification is rejected due to a failure to establish trust. This diagnostic message contains information that can be used to determine the cause of the failure and assist with resolving the problem. Set to `false` to disable these messages.
 
 
 ### Request signing settings [remote-cluster-request-signing]
@@ -121,13 +121,13 @@ The following per-cluster settings are used on the local cluster to sign outgoin
 When using PEM encoded files for signing, use the following settings:
 
 `cluster.remote.<cluster_alias>.signing.key` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
-: ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path to a PEM encoded file containing the private key used to sign cross-cluster requests to the remote cluster. You cannot use this setting and `cluster.remote.<cluster_alias>.signing.keystore.path` at the same time.
+:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path to a PEM encoded file containing the private key used to sign cross-cluster requests to the remote cluster. You cannot use this setting and `cluster.remote.<cluster_alias>.signing.keystore.path` at the same time.
 
 `cluster.remote.<cluster_alias>.signing.key.secure_passphrase` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
-: ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The passphrase that is used to decrypt the private key specified by `cluster.remote.<cluster_alias>.signing.key`. Because the key might not be encrypted, this value is optional.
+:   ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The passphrase that is used to decrypt the private key specified by `cluster.remote.<cluster_alias>.signing.key`. Because the key might not be encrypted, this value is optional.
 
 `cluster.remote.<cluster_alias>.signing.certificate` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
-: ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path for the PEM encoded certificate (or certificate chain) that is associated with the signing key. This certificate is sent as part of the signature and must be trusted by the remote cluster's `cluster.remote.signing.certificate_authorities` or `cluster.remote.signing.truststore.path` configuration. This setting can be used only if `cluster.remote.<cluster_alias>.signing.key` is set.
+:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path for the PEM encoded certificate (or certificate chain) that is associated with the signing key. This certificate is sent as part of the signature and must be trusted by the remote cluster's `cluster.remote.signing.certificate_authorities` or `cluster.remote.signing.truststore.path` configuration. This setting can be used only if `cluster.remote.<cluster_alias>.signing.key` is set.
 
 
 #### Java keystore files [remote-cluster-signing-keystore-files]
@@ -135,19 +135,19 @@ When using PEM encoded files for signing, use the following settings:
 When using Java keystore files (JKS) for signing, which contain the private key and certificate, use the following settings:
 
 `cluster.remote.<cluster_alias>.signing.keystore.path` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
-: ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path for the keystore file that contains the private key and certificate used to sign cross-cluster requests. It must be either a Java keystore (jks) or a PKCS#12 file. You cannot use this setting and `cluster.remote.<cluster_alias>.signing.key` at the same time.
+:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The path for the keystore file that contains the private key and certificate used to sign cross-cluster requests. It must be either a Java keystore (jks) or a PKCS#12 file. You cannot use this setting and `cluster.remote.<cluster_alias>.signing.key` at the same time.
 
 `cluster.remote.<cluster_alias>.signing.keystore.type` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported onElastic Cloud Hosted")
-: ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The format of the keystore file. It must be either `jks` or `PKCS12`. If the keystore path ends in ".p12", ".pfx", or ".pkcs12", this setting defaults to `PKCS12`. Otherwise, it defaults to `jks`.
+:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The format of the keystore file. It must be either `jks` or `PKCS12`. If the keystore path ends in ".p12", ".pfx", or ".pkcs12", this setting defaults to `PKCS12`. Otherwise, it defaults to `jks`.
 
 `cluster.remote.<cluster_alias>.signing.keystore.alias` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
-: ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The alias of the key within the keystore that should be used for signing cross-cluster requests. If the keystore contains more than one private key, this setting must be specified.
+:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The alias of the key within the keystore that should be used for signing cross-cluster requests. If the keystore contains more than one private key, this setting must be specified.
 
 `cluster.remote.<cluster_alias>.signing.keystore.secure_password` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
-: ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The password for the keystore specified by `cluster.remote.<cluster_alias>.signing.keystore.path`.
+:   ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The password for the keystore specified by `cluster.remote.<cluster_alias>.signing.keystore.path`.
 
 `cluster.remote.<cluster_alias>.signing.keystore.secure_key_password` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
-: ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The password for the key in the keystore specified by `cluster.remote.<cluster_alias>.signing.keystore.path`. Defaults to the keystore password.
+:   ([Secure](docs-content://deploy-manage/security/secure-settings.md)) The password for the key in the keystore specified by `cluster.remote.<cluster_alias>.signing.keystore.path`. Defaults to the keystore password.
 
 `cluster.remote.<cluster_alias>.signing.keystore.algorithm` ![logo cloud](https://doc-icons.s3.us-east-2.amazonaws.com/logo_cloud.svg "Supported on Elastic Cloud Hosted")
-: ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The algorithm for the keystore. Defaults to the default algorithm for the Java KeyManagerFactory.
+:   ([Dynamic](docs-content://deploy-manage/stack-settings.md#dynamic-cluster-setting)) The algorithm for the keystore. Defaults to the default algorithm for the Java KeyManagerFactory.