NOTE: You are looking at documentation for an older release. For the latest information, see the current release documentation.
Generate certificates
editGenerate certificates
editIn a secured cluster, Elasticsearch nodes use certificates to identify themselves when communicating with other nodes.
The cluster must validate the authenticity of these certificates. The recommended approach is to trust a specific certificate authority (CA). Thus when nodes are added to your cluster they just need to use a certificate signed by the same CA.
-
Use the
elasticsearch-certutilcommand to generate a CA and certificates and private keys for each node in your cluster.You can let the tool prompt you for information about each node in your cluster, or you can supply that information in an input file. For example, create a
test-cluster.ymlfile in one of your Elasticsearch nodes:instances: - name: "node-1" dns: - "localhost" ip: - "127.0.0.1" - "::1" - name: "node-2" dns: - "localhost" ip: - "127.0.0.1" - "::1" - name: "node-3" dns: - "localhost" ip: - "127.0.0.1" - "::1"
If these
namevalues match the values you specified fornode.namein eachelasticsearch.ymlfile, you can use a shortcut in a subsequent step.In this tutorial, all three nodes exist on the same machine and share the same IP address and hostname. In general, clusters are more resilient when they contain nodes from multiple servers and this list would reflect that diversity.
For information about all of the possible fields in this file, see Using
elasticsearch-certutilin Silent Mode.Then run the following command:
./bin/elasticsearch-certutil cert --in test-cluster.yml --keep-ca-key
It prompts you for passwords to secure each output file.
Ideally, you should use a different password for each file and store the files securely—especially the CA, since it holds the key to your cluster.
-
Decompress the
certificate-bundle.zipfile. For example:unzip certificate-bundle.zip Archive: certificate-bundle.zip creating: ca/ inflating: ca/ca.p12 creating: node-1/ inflating: node-1/node-1.p12 creating: node-2/ inflating: node-2/node-2.p12 creating: node-3/ inflating: node-3/node-3.p12
The
certificate-bundle.zipfile contains a folder for each of your nodes and acafolder.The
cafolder contains aca.p12file, which is a PKCS#12 keystore. This file contains the public certificate for your certificate authority and the private key that is used to sign the node certificates.Each node folder contains a single PKCS#12 keystore that includes a node certificate, node key, and CA certificate.
-
Create a folder to contain certificates in the configuration
directory on each Elasticsearch node. For example, create a
certsfolder in theconfigdirectory on each node. -
Copy the appropriate certificate to the configuration directory on each Elasticsearch
node. For example, copy the
node-1.p12file into theconfig/certsdirectory on the first node. Copy thenode-2.p12file to the second node and thenode-3.p12to the third.
If you later add more nodes, they just need to use a certificate signed by the same CA. For this reason, make sure you store your CA in a safe place and don’t forget its password!
For example:
./bin/elasticsearch-certutil cert --ca ca/ca.p12 \ --name <node-name> \ --dns <domain_name> \ --ip <ip_addresses>
|
The certificate authority that you generated for this cluster. |
|
|
The name of the generated certificate. Ideally this value matches the new
node’s |
|
|
A comma-separated list of DNS names for the new node. |
|
|
A comma-separated list of IP addresses for the new node. |
The elasticsearch-certutil command has a lot more options. For example, it can generate Privacy Enhanced Mail (PEM) formatted certificates and keys. It can also generate certificate signing requests (CSRs) that you can use to obtain signed certificates from a commercial or organization-specific certificate authority. However, those options are not covered in this tutorial.