WARNING: Version 5.6 of Elasticsearch has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
The certgen
command simplifies the creation of certificate authorities (CA),
certificate signing requests (CSR), and signed certificates for use with the
Elastic Stack.
bin/x-pack/certgen (([--cert <cert_file>] [--days <n>] [--dn <name>] [--key <key_file>] [--keysize <bits>] [--pass <password>] [--p12 <password>]) | [--csr]) [-E <KeyValuePair>] [-h, --help] [--in <input_file>] [--out <output_file>] ([-s, --silent] | [-v, --verbose])
By default, the command runs in interactive mode and you are prompted for information about each instance. An instance is any piece of the Elastic Stack that requires a Transport Layer Security (TLS) or SSL certificate. Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats might all require a certificate and private key.
The minimum required value for each instance is a name. This can simply be the hostname, which is used as the Common Name of the certificate. You can also use a full distinguished name. IP addresses and DNS names are optional. Multiple values can be specified as a comma separated string. If no IP addresses or DNS names are provided, you might disable hostname verification in your TLS or SSL configuration.
Depending on the parameters that you specify, you are also prompted for necessary information such as the path for the output file and the CA private key password.
The certgen
command also supports a silent mode of operation to enable easier
batch operations. For more information, see Using certgen
in Silent Mode.
The output file is a zip file that contains the signed certificates and private keys for each instance. If you chose to generate a CA, which is the default behavior, the certificate and private key are included in the output file. If you chose to generate CSRs, you should provide them to your commercial or organization-specific certificate authority to obtain signed certificates. The signed certificates must be in PEM format to work with X-Pack security.
-
--cert <cert_file>
-
Specifies to generate new instance certificates and keys
using an existing CA certificate, which is provided in the
<cert_file>
argument. This parameter cannot be used with the-csr
parameter. -
--csr
- Specifies to operation in certificate signing request mode.
-
--days <n>
-
Specifies an integer value that represents the number of days the generated keys
are valid. The default value is
1095
. This parameter cannot be used with the-csr
parameter. -
--dn <name>
-
Defines the Distinguished Name that is used for the generated CA certificate.
The default value is
CN=Elastic Certificate Tool Autogenerated CA
. This parameter cannot be used with the-csr
parameter. -
-E <KeyValuePair>
- Configures a setting.
-
-h, --help
- Returns all of the command parameters.
-
--in <input_file>
-
Specifies the file that is used to run in silent mode. The
input file must be a YAML file, as described in Using
certgen
in Silent Mode. -
--key <key_file>
-
Specifies the private-key file for the CA certificate.
This parameter is required whenever the
-cert
parameter is used. -
--keysize <bits>
-
Defines the number of bits that are used in generated RSA keys. The default
value is
2048
. -
--out <output_file>
- Specifies a path for the output file.
-
--pass <password>
-
Specifies the password for the CA private key.
If the
-key
parameter is provided, then this is the password for the existing private key file. Otherwise, it is the password that should be applied to the generated CA key. This parameter cannot be used with the-csr
parameter. -
--p12 <password>
-
Generate a PKCS#12 (
.p12
or.pfx
) container file for each of the instance certificates and keys. The generated file is protected by the supplied password, which can be blank. This parameter cannot be used with the-csr
parameter. -
-s, --silent
- Shows minimal output.
-
-v, --verbose
- Shows verbose output.
To use the silent mode of operation, you must create a YAML file that contains information about the instances. It must match the following format:
instances: - name: "node1" ip: - "192.0.2.1" dns: - "node1.mydomain.com" - name: "node2" ip: - "192.0.2.2" - "198.51.100.1" - name: "node3" - name: "node4" dns: - "node4.mydomain.com" - "node4.internal" - name: "CN=node5,OU=IT,DC=mydomain,DC=com" filename: "node5"
The name of the instance. This can be a simple string value or can be a Distinguished Name (DN). This is the only required field. |
|
An optional array of strings that represent IP Addresses for this instance. Both IPv4 and IPv6 values are allowed. The values are added as Subject Alternative Names. |
|
An optional array of strings that represent DNS names for this instance. The values are added as Subject Alternative Names. |
|
The filename to use for this instance. This name is used as the name of the
directory that contains the instance’s files in the output. It is also used in
the names of the files within the directory. This filename should not have an
extension. Note: If the |
When your YAML file is ready, you can use the certgen
command to generate
certificates or certificate signing requests. Simply use the -in
parameter to
specify the location of the file. For example:
bin/x-pack/certgen -in instances.yml
This command generates a CA certificate and private key as well as certificates and private keys for the instances that are listed in the YAML file.