OpenSearch/x-pack/docs/en/security/securing-communications/tutorial-tls-certificates.a...

78 lines
3.0 KiB
Plaintext
Raw Normal View History

[role="xpack"]
[testenv="basic"]
[[encrypting-communications-certificates]]
=== Generate certificates
In a secured cluster, {es} nodes use certificates to identify themselves when
communicating with other nodes.
The cluster must validate the authenticity of these certificates. The
recommended approach is to trust a specific certificate authority (CA). Thus
when nodes are added to your cluster they just need to use a certificate signed
by the same CA.
. Generate a certificate authority for your cluster.
+
--
Run the following command:
["source","sh",subs="attributes,callouts"]
----------------------------------------------------------------------
./bin/elasticsearch-certutil ca
----------------------------------------------------------------------
You are prompted for an output filename and a password. In this tutorial, we'll
use the default filename (`elastic-stack-ca.p12`).
The output file is a PKCS#12 keystore that contains the public certificate for
your certificate authority and the private key that is used to sign the node
certificates.
TIP: We'll need to use this file again when we add nodes to the cluster, so
remember its location and password. Ideally you should store the file securely,
since it holds the key to your cluster.
For more information about this command, see
{ref}/certutil.html[elasticsearch-certutil].
--
. Create a folder to contain certificates in the configuration directory of your
{es} node. For example, create a `certs` folder in the `config` directory.
. Generate certificates and private keys for the first node in your cluster.
+
--
Run the following command:
["source","sh",subs="attributes,callouts"]
----------------------------------------------------------------------
./bin/elasticsearch-certutil cert \
--ca elastic-stack-ca.p12 \ <1>
--dns localhost \ <2>
--ip 127.0.0.1,::1 <3>
--out config/certs/node-1.p12 <4>
----------------------------------------------------------------------
<1> The `--ca` parameter contains the name of certificate authority that you
generated for this cluster.
<2> The `--dns` parameter contains a comma-separated list of DNS names for the
node.
<3> The `--ip` parameter contains a comma-separated list of IP addresses for the
node.
<4> The `--out` parameter contains the name and location of the generated
certificate. Ideally the file name matches the `node.name` value in the
`elasticsearch.yml` file.
You are prompted to enter the password for your CA. You are also prompted to
create a password for the certificate.
The output file is a PKCS#12 keystore that includes a node certificate, node key,
and CA certificate.
--
TIP: The {ref}/certutil.html[elasticsearch-certutil] command has a lot more
options. For example, it can generate Privacy Enhanced Mail (PEM) formatted
certificates and keys. It can also generate certificate signing requests (CSRs)
that you can use to obtain signed certificates from a commercial or
organization-specific certificate authority. However, those options are not
covered in this tutorial.