From 445075736e16e9803aada6b4190fac4e43cc0f8d Mon Sep 17 00:00:00 2001
From: David Kilfoyle <david.kilfoyle@elastic.co>
Date: Fri, 11 Apr 2025 10:29:07 -0400
Subject: [PATCH] Add note about extended key usage for Logstash output

---
 .../security/logstash-certificates.asciidoc                 | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/docs/en/ingest-management/security/logstash-certificates.asciidoc b/docs/en/ingest-management/security/logstash-certificates.asciidoc
index 92d59bfbe..0100ebb55 100644
--- a/docs/en/ingest-management/security/logstash-certificates.asciidoc
+++ b/docs/en/ingest-management/security/logstash-certificates.asciidoc
@@ -28,11 +28,15 @@ cluster. For more information, refer to the
 You can use whatever process you typically use to generate PEM-formatted
 certificates. The examples shown here use the `certutil` tool provided by {es}.
 
-TIP: The `certutil` tool is not available on {ecloud}, but you can still use it
+[TIP] 
+==== 
+* The `certutil` tool is not available on {ecloud}, but you can still use it
 to generate certificates for {agent} to {ls} connections. Just
 https://www.elastic.co/downloads/elasticsearch[download an {es} package],
 extract it to a local directory, and run the `elasticsearch-certutil` command.
 There's no need to start {es}!
+* If you choose not to use link:https://www.elastic.co/guide/en/elasticsearch/reference/8.17/certutil.html[certutil], the certificates that you obtain must allow for both clientAuth and serverAuth if the extended key usage extension is present.
+====
 
 . Generate a certificate authority (CA). Skip this step if you want to use an
 existing CA.