Generate certificates

edit

In a secured cluster, Elasticsearch nodes use certificates to identify themselves when communicating with other nodes.

The cluster must validate the authenticity of these certificates. The recommended approach is to trust a specific certificate authority (CA). Thus when nodes are added to your cluster they just need to use a certificate signed by the same CA.

  1. Generate a certificate authority for your cluster.

    Run the following command:

    ./bin/elasticsearch-certutil ca

    You are prompted for an output filename and a password. In this tutorial, we’ll use the default filename (elastic-stack-ca.p12).

    The output file is a PKCS#12 keystore that contains the public certificate for your certificate authority and the private key that is used to sign the node certificates.

    We’ll need to use this file again when we add nodes to the cluster, so remember its location and password. Ideally you should store the file securely, since it holds the key to your cluster.

    For more information about this command, see elasticsearch-certutil.

  2. Create a folder to contain certificates in the configuration directory of your Elasticsearch node. For example, create a certs folder in the config directory.
  3. Generate certificates and private keys for the first node in your cluster.

    Run the following command:

    ./bin/elasticsearch-certutil cert \
    --ca elastic-stack-ca.p12 \ 
    --dns localhost \ 
    --ip 127.0.0.1,::1 
    --out config/certs/node-1.p12 

    The --ca parameter contains the name of certificate authority that you generated for this cluster.

    The --dns parameter contains a comma-separated list of DNS names for the node.

    The --ip parameter contains a comma-separated list of IP addresses for the node.

    The --out parameter contains the name and location of the generated certificate. Ideally the file name matches the node.name value in the elasticsearch.yml file.

    You are prompted to enter the password for your CA. You are also prompted to create a password for the certificate.

    The output file is a PKCS#12 keystore that includes a node certificate, node key, and CA certificate.

The elasticsearch-certutil command has a lot more options. For example, it can generate Privacy Enhanced Mail (PEM) formatted certificates and keys. It can also generate certificate signing requests (CSRs) that you can use to obtain signed certificates from a commercial or organization-specific certificate authority. However, those options are not covered in this tutorial.