- Elastic Cloud Enterprise - Elastic Cloud on your Infrastructure: other versions:
- What is Elastic Cloud Enterprise?
- Getting started
- Planning your installation
- Preparing your environment
- Installing Elastic Cloud Enterprise
- Configuring your installation
- Securing your installation
- Monitoring your installation
- Administering your installation
- Getting started with deployments
- Administering deployments
- Change your deployment configuration
- Stop routing requests or pause nodes
- Stop a deployment
- Restart a deployment
- Delete a deployment
- Access the Elasticsearch API
- Work with snapshots
- Upgrade versions
- Editing your user settings
- Configure Beats and Logstash with Cloud ID
- Keep your clusters healthy
- Secure your clusters
- Reset the password for the
elastic
user - Manage users and roles in X-Pack
- Manage users and roles in Shield
- Configure the Java Transport client
- Filter IP traffic
- Secure your settings
- Secure your 7.x clusters with LDAP
- Secure your 7.x clusters with Active Directory
- Secure your 5.x and 6.x clusters with LDAP
- Secure your 5.x and 6.x clusters with Active Directory
- Secure your clusters with SAML
- Secure your clusters with OpenID Connect
- Secure your clusters with Kerberos
- Reset the password for the
- Manage your Kibana instance
- Manage your APM Server
- Enable Monitoring (formerly Marvel)
- Enable Graph (versions before 5.0)
- Connect to your cluster
- Enable cross-cluster search
- Enable App Search
- Troubleshooting
- RESTful API
- Authentication
- API calls
- Access the API from the Command Line
- Create an API client
- API examples
- Setting up your environment
- A first API call: What deployments are there?
- Create a first deployment: Just an Elasticsearch cluster
- Create a Deployment: Elasticsearch Cluster and Kibana instance
- Updating a deployment: Resize and add high availability
- Updating a deployment: Checking on progress
- Applying a new deployment configuration: Upgrade
- Enable more stack features: Add Kibana to a deployment
- Dipping a toe into platform automation: Generate a roles token
- Customize your deployment
- Remove unwanted deployment templates and instance configurations
- Secure your settings
- API reference
- Authentication
- User authentication information
- Disable elevated permissions
- Enable elevated permissions
- Login to ECE
- Refresh authentication token
- Delete API keys
- Get all API keys
- Create API key
- Delete API keys of multiple users
- Get all API keys for all users
- Delete API key
- Get API key
- Available authentication methods
- Re-authenticate to generate a token
- SAML callback
- Initiate SAML protocol
- Delete API keys for a user
- Get all API keys for a user
- Delete an API key for a user
- Get a user API key
- Clusters - Apm - CRUD
- Clusters - Apm - CRUD - Configuration
- Clusters - Apm - Commands
- Resynchronize clusters
- Search clusters
- Restart cluster
- Resynchronize cluster
- Shut down cluster
- Upgrade cluster
- Move instances (advanced)
- Start all instances
- Stop all instances
- Start maintenance mode all instances
- Stop maintenance mode all instances
- Move instances
- Start instances
- Stop instances
- Start maintenance mode
- Stop maintenance mode
- Clusters - Elasticsearch - CRUD
- Clusters - Elasticsearch - CRUD - Configuration
- Get cross-cluster search clusters
- Get remote clusters for cross-cluster search
- Set remote clusters for cross-cluster search
- Get cluster curation settings
- Update cluster curation settings
- Set settings overrides (all instances)
- Set settings overrides
- Get settings from this cluster’s keystore
- Add or remove settings from the cluster keystore
- Set cluster name
- Get cluster metadata
- Set cluster metadata
- Get cluster metadata settings
- Update cluster metadata settings
- Cancel monitoring
- Set monitoring
- Get plan
- Update plan
- Migrate plan
- Get plan activity
- Cancel pending plan
- Get pending plan
- Set legacy security settings
- Get cluster snapshot settings
- Update cluster snapshot settings
- Clusters - Elasticsearch - Commands
- Resynchronize clusters
- Search clusters
- Restart cluster
- Resynchronize cluster
- Shut down cluster
- Take snapshot
- Move instances (advanced)
- Start all instances
- Stop all instances
- Start maintenance mode all instances
- Stop maintenance mode all instances
- Move instances
- Start instances
- Stop instances
- Start maintenance mode
- Stop maintenance mode
- Clusters - Elasticsearch - Proxy
- Clusters - Elasticsearch - Support
- Clusters - Kibana - CRUD
- Clusters - Kibana - CRUD - Configuration
- Clusters - Kibana - Commands
- Resynchronize clusters
- Search clusters
- Restart cluster
- Resynchronize cluster
- Shut down cluster
- Upgrade cluster
- Move instances (advanced)
- Start all instances
- Stop all instances
- Start maintenance mode all instances
- Stop maintenance mode all instances
- Move instances
- Start instances
- Stop instances
- Start maintenance mode
- Stop maintenance mode
- Clusters - Kibana - Proxy
- Clusters - Search
- Comments
- Deployment - CRUD
- Deployment - Commands
- Search Deployments
- Reset elastic user password
- Restart Deployment Elasticsearch Resource
- Shutdown Deployment Elasticsearch Resource
- Start all instances
- Stop all instances
- Start maintenance mode (all instances)
- Stop maintenance mode (all instances)
- Start instances
- Stop of instances
- Start maintenance mode
- Stop maintenance mode
- Restart Deployment Stateless Resource
- Shutdown Deployment Stateless Resource
- Upgrade Kibana, APM, AppSearch inside Deployment
- Deployment - Info
- Deployment - resync
- Deployment Resources - CRUD
- Deployments - IP Filtering - CRUD
- Deployments - Notes
- Platform
- Platform - Allocators
- Get allocators
- Resynchronize allocators
- Search allocators
- Delete allocator
- Get allocator
- Resynchronize allocator
- Move clusters
- Move clusters by type
- Start maintenance mode
- Stop maintenance mode
- Get allocator metadata
- Set allocator metadata
- Delete allocator metadata item
- Set allocator metadata item
- Get allocator settings
- Update allocator settings
- Set allocator settings
- Platform - Configuration - Instances - CRUD
- Platform - Configuration - Security
- Platform - Configuration - Security Deployment
- Platform - Configuration - Security Realms
- List security realm configurations
- Reorder security realms
- Create Active Directory configuration
- Delete Active Directory configuration
- Get Active Directory configuration
- Update Active Directory configuration
- Create LDAP configuration
- Delete LDAP configuration
- Get LDAP configuration
- Update LDAP configuration
- Create SAML configuration
- Delete SAML configuration
- Get SAML configuration
- Update SAML configuration
- Platform - Configuration - TLS
- Platform - Constructors
- Platform - License
- Platform - Repository - CRUD
- Platform - Runners
- Platform - configuration - Store
- Platform - proxies
- Roles
- Stack - Instance Types - CRUD
- Stack - Versions - CRUD
- Templates - Deployments
- User Features Controls
- Users
- Definitions
ActiveDirectoryGroupSearch
ActiveDirectorySecurityRealmLoadBalance
ActiveDirectorySecurityRealmRoleMappingRule
ActiveDirectorySecurityRealmRoleMappingRules
ActiveDirectorySettings
ActiveDirectoryUserSearch
AllocatedInstancePlansInfo
AllocatedInstanceStatus
AllocatorBuildInfo
AllocatorCapacity
AllocatorCapacityMemory
AllocatorHealthStatus
AllocatorInfo
AllocatorMoveRequest
AllocatorOverview
AllocatorSettings
AllocatorZoneInfo
ApiKeyResponse
ApiKeysResponse
Apm
ApmConfiguration
ApmCrudResponse
ApmInfo
ApmPayload
ApmPlan
ApmPlanControlConfiguration
ApmPlanInfo
ApmPlansInfo
ApmResourceInfo
ApmSettings
ApmSubInfo
ApmSystemSettings
ApmTopologyElement
ApmsInfo
AppSearch
AppSearchConfiguration
AppSearchInfo
AppSearchNodeTypes
AppSearchPayload
AppSearchPlan
AppSearchPlanControlConfiguration
AppSearchPlanInfo
AppSearchPlansInfo
AppSearchResourceInfo
AppSearchSettings
AppSearchSubInfo
AppSearchSystemSettings
AppSearchTopologyElement
AuthenticationInfo
AvailableAuthenticationMethods
BasicFailedReply
BasicFailedReplyElement
Blessing
Blessings
BlessingsWithMeta
BoolQuery
CapacityConstraintsResource
ChangeSourceInfo
ClusterCommandResponse
ClusterCredentials
ClusterCrudResponse
ClusterCurationSettings
ClusterCurationSpec
ClusterInfo
ClusterInstanceConfigurationInfo
ClusterInstanceDiskInfo
ClusterInstanceInfo
ClusterInstanceMemoryInfo
ClusterLicenseInfo
ClusterMetadataCpuResourcesSettings
ClusterMetadataInfo
ClusterMetadataPortInfo
ClusterMetadataResourcesSettings
ClusterMetadataSettings
ClusterPlanMigrationResponse
ClusterPlanStepInfo
ClusterPlanStepLogMessageInfo
ClusterSnapshotRepositoryDefault
ClusterSnapshotRepositoryInfo
ClusterSnapshotRepositoryReference
ClusterSnapshotRepositoryStatic
ClusterSnapshotRequest
ClusterSnapshotResponse
ClusterSnapshotRetention
ClusterSnapshotSettings
ClusterSystemAlert
ClusterTopologyInfo
ClusterUpgradeInfo
ClustersInfo
Comment
CommentCreateRequest
CommentUpdateRequest
CommentWithMeta
CommentsWithMetas
CompatibleNodeTypesResource
CompatibleVersionResource
ConfigStoreOption
ConfigStoreOptionData
ConfigStoreOptionList
ConstructorHealthStatus
ConstructorInfo
ConstructorOverview
ContainerConfigHostConfig
ContainersEntry
ContainersEntryOptions
ContainersEntryOptionsACL
ContainersEntryOptionsAuth
ContainersEntryOptionsContainerConfig
ContainersEntryOptionsOverrides
CreateApiKeyRequest
CreateApmInCreateElasticsearchRequest
CreateApmRequest
CreateAppSearchRequest
CreateElasticsearchClusterRequest
CreateKibanaInCreateElasticsearchRequest
CreateKibanaRequest
Creates
CrossClusterSearchClusters
CrossClusterSearchInfo
CrossClusterSearchSettings
DeleteApiKeysRequest
DeleteUsersApiKeysRequest
DeploymentCreateMetadata
DeploymentCreateRequest
DeploymentCreateResources
DeploymentCreateResponse
DeploymentCreateSettings
DeploymentDeleteResponse
DeploymentDiagnostics
DeploymentGetResponse
DeploymentMetadata
DeploymentResource
DeploymentResourceCommandResponse
DeploymentResourceCrudResponse
DeploymentResourceUpgradeResponse
DeploymentResources
DeploymentRestoreResponse
DeploymentSearchResponse
DeploymentSettings
DeploymentShutdownResponse
DeploymentTemplateDefinitionRequest
DeploymentTemplateInfo
DeploymentTemplateReference
DeploymentUpdateMetadata
DeploymentUpdateRequest
DeploymentUpdateResources
DeploymentUpdateResponse
DeploymentsListResponse
DeploymentsListingData
DeploymentsSearchResponse
DiscreteSizes
Elasticsearch
ElasticsearchClusterBlockingIssueElement
ElasticsearchClusterBlockingIssues
ElasticsearchClusterInfo
ElasticsearchClusterInstanceSettingsOverrides
ElasticsearchClusterPlan
ElasticsearchClusterPlanInfo
ElasticsearchClusterPlansInfo
ElasticsearchClusterRole
ElasticsearchClusterSecurityInfo
ElasticsearchClusterSettings
ElasticsearchClusterTopologyElement
ElasticsearchClusterUser
ElasticsearchClustersInfo
ElasticsearchConfiguration
ElasticsearchCuration
ElasticsearchDependant
ElasticsearchElasticUserPasswordResetResponse
ElasticsearchInfo
ElasticsearchMasterElement
ElasticsearchMasterInfo
ElasticsearchMonitoringInfo
ElasticsearchNodeType
ElasticsearchPayload
ElasticsearchPlanControlConfiguration
ElasticsearchReplicaElement
ElasticsearchResourceInfo
ElasticsearchScriptTypeSettings
ElasticsearchScriptingUserSettings
ElasticsearchShardElement
ElasticsearchShardsInfo
ElasticsearchSystemSettings
ElasticsearchUserBundle
ElasticsearchUserPlugin
ElevatePermissionsRequest
ElevatedPermissions
EmptyResponse
EnrollmentTokenRequest
ExistsQuery
ExternalHyperlink
FilterAssociation
GrowShrinkStrategyConfig
Hyperlink
IdResponse
IndexSynchronizationResults
InstanceConfiguration
InstanceMoveRequest
InstanceTypeResource
IpFilterRule
IpFilterRuleset
IpFilterRulesets
IpFilteringSettings
KeystoreContents
KeystoreSecret
Kibana
KibanaClusterInfo
KibanaClusterPlan
KibanaClusterPlanInfo
KibanaClusterPlansInfo
KibanaClusterSettings
KibanaClusterTopologyElement
KibanaClustersInfo
KibanaConfiguration
KibanaPayload
KibanaPlanControlConfiguration
KibanaResourceInfo
KibanaSubClusterInfo
KibanaSystemSettings
LdapGroupSearch
LdapSecurityRealmLoadBalance
LdapSecurityRealmRoleMappingRule
LdapSecurityRealmRoleMappingRules
LdapSettings
LdapUserSearch
LegacySecuritySettings
LicenseInfo
LicenseObject
ListEnrollmentTokenElement
ListEnrollmentTokenReply
LoginRequest
LoginState
ManagedMonitoringSettings
MatchAllQuery
MatchNoneQuery
MatchQuery
Metadata
MetadataItem
MetadataItemValue
MetadataItems
ModelVersionIndexSynchronizationResults
MoveApmClusterConfiguration
MoveApmClusterDetails
MoveAppSearchConfiguration
MoveAppSearchDetails
MoveClustersCommandResponse
MoveClustersDetails
MoveClustersRequest
MoveElasticsearchClusterConfiguration
MoveElasticsearchClusterDetails
MoveKibanaClusterConfiguration
MoveKibanaClusterDetails
NestedQuery
NodeTypeResource
Note
Notes
Orphaned
OrphanedElasticsearch
PendingState
PendingStates
PendingStatesWithMeta
PlanStrategy
PlatformInfo
PlatformServiceImageInfo
PlatformServiceInfo
PortBinding
PrefixQuery
ProxiesAllocationsInfo
ProxiesFilter
ProxiesFilteredGroup
ProxiesFilteredGroupHealth
ProxiesHealth
ProxiesHttpSettings
ProxiesSSOSettings
ProxiesSettings
ProxyAllocationCounts
ProxyAllocationInfo
ProxyInfo
ProxyOverview
QueryContainer
QueryStringQuery
RangeQuery
ReAuthenticationRequest
ReAuthenticationResponse
RemoteClusterInfo
RemoteClusterRef
RepositoryConfig
RepositoryConfigs
RequestEnrollmentTokenReply
RestartPolicy
RestoreSnapshotApiConfiguration
RestoreSnapshotConfiguration
RestoreSnapshotRepoConfiguration
Role
RoleAggregate
RoleAggregateCreateData
RoleAggregates
RoleWithMeta
RollingGrowShrinkStrategyConfig
RollingStrategyConfig
RuleSetResponse
RulesetAssociations
RunnerBuildInfo
RunnerContainerInfo
RunnerInfo
RunnerOverview
RunnerRoleInfo
RunnerRolesInfo
SamlAttributeSettings
SamlIdpSettings
SamlSecurityRealmRoleMappingRule
SamlSecurityRealmRoleMappingRules
SamlSettings
SamlSpSettings
SearchRequest
SecurityDeployment
SecurityDeploymentCreateRequest
SecurityDeploymentTopology
SecurityRealmInfo
SecurityRealmInfoList
SecurityRealmsReorderRequest
SnapshotRepositoryConfiguration
SnapshotStatusInfo
StackVersionApmConfig
StackVersionAppSearchConfig
StackVersionArchiveProcessingError
StackVersionArchiveProcessingResult
StackVersionConfig
StackVersionConfigPost
StackVersionConfigs
StackVersionElasticsearchConfig
StackVersionEnterpriseSearchConfig
StackVersionInstanceCapacityConstraint
StackVersionKibanaConfig
StackVersionMetadata
StackVersionNodeType
StackVersionSiteSearchConfig
StackVersionTemplateFileHash
StackVersionTemplateInfo
TargetElasticsearchCluster
TermQuery
TiebreakerTopologyElement
TlsPublicCertChain
TokenResponse
TopologySize
TransientApmPlanConfiguration
TransientAppSearchPlanConfiguration
TransientElasticsearchPlanConfiguration
TransientKibanaPlanConfiguration
Updates
UsageStats
User
UserApiKey
UserFeatures
UserList
UserMetadata
UserSecurity
UserSecurityRealm
- Authentication
- Script reference
- Release notes
- Elastic Cloud Enterprise 2.4.3
- Elastic Cloud Enterprise 2.4.2
- Elastic Cloud Enterprise 2.4.1
- Elastic Cloud Enterprise 2.4.0
- Elastic Cloud Enterprise 2.3.2
- Elastic Cloud Enterprise 2.3.1
- Elastic Cloud Enterprise 2.3.0
- Elastic Cloud Enterprise 2.2.3
- Elastic Cloud Enterprise 2.2.2
- Elastic Cloud Enterprise 2.2.1
- Elastic Cloud Enterprise 2.2.0
- Elastic Cloud Enterprise 2.1.1
- Elastic Cloud Enterprise 2.1.0
- Elastic Cloud Enterprise 2.0.1
- Elastic Cloud Enterprise 2.0.0
- Elastic Cloud Enterprise 1.1.5
- Elastic Cloud Enterprise 1.1.4
- Elastic Cloud Enterprise 1.1.3
- Elastic Cloud Enterprise 1.1.2
- Elastic Cloud Enterprise 1.1.1
- Elastic Cloud Enterprise 1.1.0
- Elastic Cloud Enterprise 1.0.2
- Elastic Cloud Enterprise 1.0.1
- Elastic Cloud Enterprise 1.0.0
- Limitations and known problems
- What’s new with the Elastic Stack
- Elastic Stack 7.5.1 released
- Elastic Stack 7.5.0 released
- Elastic Stack 7.4.2 released
- Elastic Stack 7.4.1 released
- Elastic Stack 7.4.0 released
- Elastic Stack 7.3.2 released
- Elastic Stack 7.3.1 released
- Elastic Stack 7.3.0 released
- Elastic Stack 7.2.1 and 6.8.2 released
- Elastic Stack 7.2.0 released
- Elastic Stack 7.1.1 released
- Elastic Stack 7.1.0 released
- Elastic Stack 7.0.1 released
- Elastic Stack 7.0.0 released
- Elastic Stack 6.8.6 released
- Elastic Stack 6.8.5 released
- Elastic Stack 6.8.4 released
- Elastic Stack 6.8.3 released
- Elastic Stack 6.8.1 released
- Elastic Stack 6.8.0 released
- Elastic Stack 6.7.2 released
- Elastic Stack 6.7.1 released
- Elastic Stack 6.7.0 released
- Elastic Stack 6.6.2 released
- Elastic Stack 6.6.0 released
- Elastic Stack 6.5.4 released
- Elastic Stack 5.6.14 and 6.5.3 released
- Elastic Stack 6.5.2 released
- Elastic Stack 6.5.1 released
- Elastic Stack 6.5.0 released
- Elastic Stack 5.6.13 and 6.4.3 released
- Elastic Stack 5.6.11 and 6.4.0 released
- Elastic Stack 6.3.2 released
- Elastic Stack 6.3.1 released
- Known issue affecting 5.6.10 to 6.3.0 upgrades
- Elastic Stack 5.6.10 and 6.3.0 released
- About this product
It is time to say goodbye: This version of Elastic Cloud Enterprise has reached end-of-life (EOL) and is no longer supported.
The documentation for this version is no longer being maintained. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Manage security certificates
editManage security certificates
editDuring installation, Elastic Cloud Enterprise generates certificates so that you can connect to your installation securely. In order to connect securely, you must first download and trust the CA certificates generated during installation before issuing any requests to ECE. If your organization operates as its own certificate authority, you can provide your certificates for ECE to avoid a security warning when connecting to the Cloud UI over HTTPS.
In these instructions, we show you how you can download the security certificate that gets generated during the ECE installation and use it to add your own TLS/SSL certificates. You can add your TLS/SSL certificates any time after you have installed ECE on your hosts. In addition to the steps shown here, you might also need to import your CA certificate into your browser certificate chain, if you don’t already use the same certificate within your organization.
You can change the certificates for the following ECE components separately:
- Cloud UI certificate
- Used to connect securely to the Cloud UI and to make RESTful API calls.
- Proxy certificate
-
Used to connect securely to Elasticsearch clusters and Kibana. You should use a wildcard certificate rooted at the cluster endpoint that you set (
*.example.com
, for example). A wildcard certificate is required, because the first label of the DNS address is distinct for Elasticsearch clusters and Kibana (bc898abb421843918ebc31a513169a.example.com
, for example).
After the certificates have been installed, connecting securely to Elasticsearch, Kibana, and the Cloud UI or making secure RESTful API calls to ECE should not result in any security warnings or errors.
Before you begin
editWhen uploading the certificate chain to ECE, the following requirements apply:
- You must upload the full certificate chain, including certificate authorities.
- The chain must be in this order: Private key > SSL certificate > Interim CA (optional) > Root CA.
- The certificates must be in PEM format and the result should be a single file containing the full chain.
The PEM file should be structured like this:
-----BEGIN RSA PRIVATE KEY----- (Your Private Key: your_domain_name.key) -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- (Your Primary SSL certificate: your_domain_name.crt) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Your Intermediate certificate: Intermediate.crt) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Your Root certificate: TrustedRoot.crt) -----END CERTIFICATE-----
Each key and certificate would be generated by you or your IT team.
Get existing ECE security certificates
editObtain the existing certificate generated during the installation of ECE.
-
You can use the openssl command line tool to display the whole server certificate chain. Run the command against the Cloud UI URL provided at the end of the installation process on your first host,
192.168.43.10:12343
in our example:openssl s_client -showcerts -connect 192.168.43.10:12343 < /dev/zero CONNECTED(00000003) depth=2 CN = elastic ce master verify error:num=19:self signed certificate in certificate chain --- Certificate chain 0 s:/CN=elastic ce admin console a954e2668da4 i:/CN=elastic ce admin console root -----BEGIN CERTIFICATE----- MIIDjzCCAnegAwIBAgIGAVqk1eYJMA0GCSqGSIb3DQEBCwUAMCgxJjAkBgNVBAMT HWVsYXN0aWMgY2UgYWRtaW4gY29uc29sZSByb290MB4XDTE3MDMwNjE4MTYwNVoX DTI3MDMwNDE4MTYwNVowMDEuMCwGA1UEAxMlZWxhc3RpYyBjZSBhZG1pbiBjb25z b2xlIGE5NTRlMjY2OGRhNDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB ALqsQZexkEWoOnhK5uDrGC4kjEWVSWoYOR6ymd8ySHIqhqAZTGoRhiO46jlrCr+e Jqn3a+qlNNCmEBc5BqjDlKpEKmaLQJoAZock2fOXLiKVQZiJK+ygShoMq2KGpIeY m/gzQ01atAuETBut8AgpjMN2/xbm3FI0KiqPEpglC8wKQ4hKukbVn5YJBZmBjJxr 17vzhDpC/qJJ+owRNUoz9vd4VEfDjNhaZWJ8ihDWUCL9rDwVp8XVLUQ38SBurd7A zJjfzHfrpI9+C8F2UBHjDdqus253Qho5a8S+hGq7VRVqcGoo0nvqThVvR2s0tEDk fsN0rDOL3or9BwUbv0gIiAECAwEAAaOBtjCBszAsBgNVHREEJTAjggxlY2UtMC1y dW5uZXKCDTE5Mi4xNjguNDMuMTCHBMCoKwowSQYDVR0jBEIwQIAUgB4X3GsrUoGz SzJ4IQ8nuB6cosOhIKQeMBwxGjAYBgNVBAMTEWVsYXN0aWMgY2UgbWFzdGVyggYB WqTVH5EwHQYDVR0OBBYEFA7euGA6jC4XSKCRNt1ZWqABUa/EMAkGA1UdEwQCMAAw DgYDVR0PAQH/BAQDAgTwMA0GCSqGSIb3DQEBCwUAA4IBAQA9xskIXZ8byN0I+M/R cXKbvVzsu//gVgswCSZ/KpidWZnSxhuQ4tIryby6DqTKSvzp17ASld1VrYp3vZw+ zIgU7k7f/w2ATnm39Sn/DxuKUGEblMjUs2X9cF+ijFZklgX1LyWwIK9iKCATuS7J OThTFGuV0NScsvhiFTTaCXteQql+WwFOI2vL5XZKE8XiQesDiJfNbWg2K/EhxBih sFPWgik9aljciAHXK/pH9vQNf2rfpSL9HSTc89RetDFkmkXGIPKd3lxORE6wCdKm mUi6uktMCnBSyMapNEbiWR3sAPf30y81UAVJKcnzd7r8bP3V/19ZBEfvEUSy80DT th3x -----END CERTIFICATE----- 1 s:/CN=elastic ce admin console root i:/CN=elastic ce master -----BEGIN CERTIFICATE----- MIIDUDCCAjigAwIBAgIGAVqk1R+RMA0GCSqGSIb3DQEBCwUAMBwxGjAYBgNVBAMT EWVsYXN0aWMgY2UgbWFzdGVyMB4XDTE3MDMwNjE4MTUxNVoXDTI3MDMwNDE4MTUx NVowKDEmMCQGA1UEAxMdZWxhc3RpYyBjZSBhZG1pbiBjb25zb2xlIHJvb3QwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbse8n9LOSSnrBI6KSFieNZKKL MEjK+TqbA5dYmyC7935Jkpe2aWBhVT2o29+EgKotlWF6/3i+db4SPRVTJ21rLYJu usPkPr9jkEvKxExPG9hgzvXBQvbgKx4kzw9wEi5Mmh1bEsEBqkQsfXG5Tgk8J+VA IUIueiqZXhkmZvEx4e7m2rVhxWoVMHkzlQGOmZ77cQ9F68yFeCnbXUrvIIVs1Doj vFOybEFfYKuMjUqG+i6M0WrvOxij6QHnOfLEBc/Th0ckU60yKFnTYRHaym6xBcZN oDdkGwl7imbn62jvBUF7VLs7QLnkjF7ExxDksY3uxdcL9+q7BRwFW3bDTWDfAgMB AAGjgYswgYgwSQYDVR0jBEIwQIAUZdT53vvMI/XLUKahehVoLA5z4RGhIKQeMBwx GjAYBgNVBAMTEWVsYXN0aWMgY2UgbWFzdGVyggYBWqTVFtIwHQYDVR0OBBYEFIAe F9xrK1KBs0syeCEPJ7genKLDMAwGA1UdEwQFMAMBAf8wDgYDVR0PAQH/BAQDAgH2 MA0GCSqGSIb3DQEBCwUAA4IBAQDR6vYhPau8ue0D/+iUha1NA6zAoImSEqr06dGe fyDJ5BCRWIEXvF4e//th55h/8eObCZhyeDPhcg1u73MWWGub3WO1EFqo4+Se7fKS 6uz5tTQplfSHI6fUaRzQ6lIClmc5RaAtnV86if/pfcK9Vb0yoLxOR4510gFZTp2x WRi8Q9E2LHkTYoMxoWZG9CyNrZ1apsV8GE1DG9f8OaxJ99exymVctySQynJqPSPP S2Xzb6TYzvW6ZiApzAgM6oS2KejA2CRNO+HjNWsJCceBuM8Z60Jq8Rm5Wh1rHjWw vFJZB0z0J6l/rOKAIIpeoPxoyDr/4RlommC3BRMEcOF0NdTk -----END CERTIFICATE----- 2 s:/CN=elastic ce master i:/CN=elastic ce master -----BEGIN CERTIFICATE----- MIIDRDCCAiygAwIBAgIGAVqk1RbSMA0GCSqGSIb3DQEBCwUAMBwxGjAYBgNVBAMT EWVsYXN0aWMgY2UgbWFzdGVyMB4XDTE3MDMwNjE4MTUxMloXDTI3MDMwNDE4MTUx MlowHDEaMBgGA1UEAxMRZWxhc3RpYyBjZSBtYXN0ZXIwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQDbwOBtXjKvw4B10HDfoXatlXn8qUHkesV9+lWT0NT1 WU1X4rc9TwCsWHbH1S0YmOiTw9YVrzFjbYtjNgW5M3DXiewfvnfVm6ifrcuU1C0L yN8WxqBmvQt/7H2hyKwgsmiXfoULbT5PGuhizvRntlD2OgnPjshwetkRN//O3NWo Osd2LKMyzUvRPxNP2CwbQLetLgEpQjrjB+nfv4WZHkAQ4vGwxFkN6WaIpqhuhg2q I8xEHHh1IYTEOiQJZXXg7nU3vqY3kQ2Yu9kopuUJoXY5CviZLZO/xCriNVEPaOhX 6pWM+dDHaEzx1EiZNg3bjpAXAP+aErSDVAlqbYqCoeAvAgMBAAGjgYswgYgwHQYD VR0OBBYEFGXU+d77zCP1y1CmoXoVaCwOc+ERMEkGA1UdIwRCMECAFGXU+d77zCP1 y1CmoXoVaCwOc+ERoSCkHjAcMRowGAYDVQQDExFlbGFzdGljIGNlIG1hc3RlcoIG AVqk1RbSMAwGA1UdEwQFMAMBAf8wDgYDVR0PAQH/BAQDAgH2MA0GCSqGSIb3DQEB CwUAA4IBAQBclrkSxPRhN6uxPmJ4QIlZ8OOBKuPPul5434Au8UWAzQX8p6tKLBBT Zpl9py/fg8YS1iTlPBkRCjssZG9x3x0gG2ftDqrO4AqL7L0X3oZRy+sIkG17h3GI CcHO596EGzhFPSa183kIwGXb4mI5nNUe43KkDXEyid/VIn27jokeqslfu2KQJnC1 ggwLRgrNpeNO4pb7cK4aBu3oLZ0tPnhdbIG+bVgHE6a6ZYyBH266oJmNpqmNOTzn JjrgOt5gEB5JcL1VWXZ3lU3ukd5Jq/rGFkqytBj+uQccpuWkGUMqU82xjREES8D8 AIHl4ghc6SM1jl2SqZR7aoAjP0uGwW31 -----END CERTIFICATE----- --- Server certificate subject=/CN=elastic ce admin console a954e2668da4 issuer=/CN=elastic ce admin console root --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 3120 bytes and written 433 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: C9FA70D80592981C4174F490EF47AF0091326AED6ED4115CED30A9861EBD7758 Session-ID-ctx: Master-Key: 0EF40D4B72E102395352FE7935CAA47CA84BF743E8BF102B98856AFCB76E4BDDCEFDE3E0F7D4D4681A3BCFB170864C9F Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1488824550 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- HTTP/1.1 501 Not Implemented Server: fac/9431ee Date: Mon, 06 Mar 2017 18:21:19 GMT Content-Type: text/plain; charset=UTF-8 Connection: close Content-Length: 23 Unsupported HTTP methodclosed
-
Save the last certificate shown in the output to a local file,
elastic-ece-ca-cert.pem
in this example:cat << EOF > ~/elastic-ece-ca-cert.pem -----BEGIN CERTIFICATE----- MIIDRDCCAiygAwIBAgIGAVqk1RbSMA0GCSqGSIb3DQEBCwUAMBwxGjAYBgNVBAMT EWVsYXN0aWMgY2UgbWFzdGVyMB4XDTE3MDMwNjE4MTUxMloXDTI3MDMwNDE4MTUx MlowHDEaMBgGA1UEAxMRZWxhc3RpYyBjZSBtYXN0ZXIwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQDbwOBtXjKvw4B10HDfoXatlXn8qUHkesV9+lWT0NT1 WU1X4rc9TwCsWHbH1S0YmOiTw9YVrzFjbYtjNgW5M3DXiewfvnfVm6ifrcuU1C0L yN8WxqBmvQt/7H2hyKwgsmiXfoULbT5PGuhizvRntlD2OgnPjshwetkRN//O3NWo Osd2LKMyzUvRPxNP2CwbQLetLgEpQjrjB+nfv4WZHkAQ4vGwxFkN6WaIpqhuhg2q I8xEHHh1IYTEOiQJZXXg7nU3vqY3kQ2Yu9kopuUJoXY5CviZLZO/xCriNVEPaOhX 6pWM+dDHaEzx1EiZNg3bjpAXAP+aErSDVAlqbYqCoeAvAgMBAAGjgYswgYgwHQYD VR0OBBYEFGXU+d77zCP1y1CmoXoVaCwOc+ERMEkGA1UdIwRCMECAFGXU+d77zCP1 y1CmoXoVaCwOc+ERoSCkHjAcMRowGAYDVQQDExFlbGFzdGljIGNlIG1hc3RlcoIG AVqk1RbSMAwGA1UdEwQFMAMBAf8wDgYDVR0PAQH/BAQDAgH2MA0GCSqGSIb3DQEB CwUAA4IBAQBclrkSxPRhN6uxPmJ4QIlZ8OOBKuPPul5434Au8UWAzQX8p6tKLBBT Zpl9py/fg8YS1iTlPBkRCjssZG9x3x0gG2ftDqrO4AqL7L0X3oZRy+sIkG17h3GI CcHO596EGzhFPSa183kIwGXb4mI5nNUe43KkDXEyid/VIn27jokeqslfu2KQJnC1 ggwLRgrNpeNO4pb7cK4aBu3oLZ0tPnhdbIG+bVgHE6a6ZYyBH266oJmNpqmNOTzn JjrgOt5gEB5JcL1VWXZ3lU3ukd5Jq/rGFkqytBj+uQccpuWkGUMqU82xjREES8D8 AIHl4ghc6SM1jl2SqZR7aoAjP0uGwW31 -----END CERTIFICATE----- EOF
In subsequent steps, this
elastic-ece-ca-cert.pem
file is referred to as theCA_CERTIFICATE_FILENAME
and used to add your own TLS/SSL certificates.
Generate a CA certificate and X.509 certificate chain
editThe steps in this section provide high-level instructions on what you need to do if you do not already have a CA certificate and X.509 certificate chain. The method by which you generate the certificate and certificate chain differs by operating system, and the exact steps are outside the scope of these instructions.
The high-level steps to generate the necessary files include:
- Generate a certificate authority (CA) RSA key pair.
- Create a self-signed CA certificate.
- Generate a server RSA key pair.
- Create a certificate signing request (CSR) for server certificate with the common name and the alternative name set.
- Sign the server CSR with CA key pair.
- Concatenate the PEM encode server RSA private key, the server certificate, and the CA certificate into a single file.
Use the concatenated file containing the unencrypted RSA private key, server certificate, and CA certificate when adding your own TLS/SSL certificates in subsequent steps.
If your organization already uses a CA certificate and X.509 certificate chain, you need to have these files ready. You also need your unencrypted RSA private key.
Add a Cloud UI certificate
editTo add a Cloud UI certificate from the Cloud UI:
- Log into the Cloud UI.
- From the Platform menu, select Settings.
-
Under TLS settings for the Cloud UI, click Upload new certificate and select a concatenated file containing your RSA private key, server certificate, and CA certificate. Upload the selected file.
To see the details of the certificate you added, click Show certificate chain.
To add a Cloud UI certificate from the command line:
-
Add the certificate for the Cloud UI to your ECE installation, where
CA_CERTIFICATE_FILENAME
is the name of the CA certificate you downloaded earlier andCLOUDUI_PEM_FILENAME
is the name of the concatenated file containing your RSA private key, server certificate, and CA certificate:curl --cacert CA_CERTIFICATE_FILENAME -H 'Content-Type: application/json' --data-binary @CLOUDUI_PEM_FILENAME --user "admin:PASSWORD" "http://admin:12443/api/v1/platform/configuration/security/tls/ui"
- Log out of the Cloud UI and log in again.
-
Verify that you are now using the new certificate chain. There should be no security warnings when you connect to the Cloud UI over HTTPS in your web browser.
Alternatively, you can also check the certificate using the openssl command:
openssl s_client -CAfile CA_CERTIFICATE_FILENAME -showcerts -connect containerhost:12443 < /dev/zero
After adding your certificate, API requests made through the Cloud UI should use your certificate. When you use the curl
command, include the path to your CA certificate with the --cacert
parameter.
Add a proxy certificate
editTo add a proxy certificate from the Cloud UI:
- Log into the Cloud UI.
- From the Platform menu, select Settings.
-
Under TLS settings for the proxy, click Upload new certificate and select a concatenated file containing your RSA private key, server certificate, and CA certificate. Upload the file.
To see the details of the certificate you added, click Show certificate chain.
To add a proxy certificate from the command line:
-
Add the wildcard certificate chain for the proxy to your ECE installation, where
CA_CERTIFICATE_FILENAME
is the name of the CA certificate you downloaded earlier andPROXY_PEM_FILENAME
is the name of the concatenated file containing your RSA private key, server certificate, and CA certificate:curl --cacert CA_CERTIFICATE_FILENAME -H 'Content-Type: application/json' --data-binary @PROXY_PEM_FILENAME --user "admin:PASSWORD" "https://admin:12343/api/v1/platform/configuration/security/tls/proxy"
- Log out of any Kibana instances you might be logged into and log in again.
-
Verify that you are now using the new certificate chain. There should be no security warnings when you connect to the Elasticsearch or Kibana endpoints over HTTPS in your web browser.
Alternatively, you can also use the openssl command to check the proxy certificates, where HOSTNAME_OR_IP is the hostname or IP address of the proxy host:
openssl s_client -CAfile CA_CERTIFICATE_FILENAME -showcerts -connect HOSTNAME_OR_IP:9243 < /dev/zero openssl s_client -CAfile CA_CERTIFICATE_FILENAME -showcerts -connect HOSTNAME_OR_IP:9343 < /dev/zero
Limitations
editYou cannot add certificates signed by an internal certificate authority to be used for outbound connections.
On this page