honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[DOCS] Clarifying TLS steps (#65326) (#66614) 

* [DOCS] Clarifying TLS steps

* Fix file name

* Clarifying note based on reviewer feedback
This commit is contained in:
Adam Locke 2020-12-18 16:00:28 -05:00 committed by GitHub
parent e2228df04a
commit a4d5e36905
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 30 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
x-pack/docs/en/security/securing-communications/node-certificates.asciidoc
View File

@ -33,7 +33,7 @@ Use the <<certutil-ca,`elasticsearch-certutil ca`>> command:
[source,shell] [source,shell]
---- ----
bin/elasticsearch-certutil ca ./bin/elasticsearch-certutil ca
---- ----
You can configure the cluster to trust all nodes that have a certificate that You can configure the cluster to trust all nodes that have a certificate that
@ -55,7 +55,7 @@ Use the <<certutil-cert,`elasticsearch-certutil cert`>> command:
[source,shell] [source,shell]
---- ----
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
---- ----
You are prompted for a password. You can enter a password for your You are prompted for a password. You can enter a password for your
certificate and key, or you can leave the password blank. certificate and key, or you can leave the password blank.
@ -88,12 +88,34 @@ Use the <<certutil-http,`elasticsearch-certutil http`>> command:
[source,shell] [source,shell]
---- ----
bin/elasticsearch-certutil http ./bin/elasticsearch-certutil http
---- ----
This command guides you through the process of generating the appropriate This command guides you through the process of generating the appropriate
certificates for use in {es} and {kib}. If you created a CA for your cluster, certificates for use in {es} and {kib}. If you created a CA for your cluster,
you can re-use it by supplying its location when prompted. you can re-use it by supplying its location when prompted.
NOTE: The first question that the `elasticsearch-certutil` tool prompts you
with is whether you want to generate a Certificate Signing Request (CSR).
Answer `y` if a trusted authority, such as in internal security team or a
commercial certificate authority, will sign your certificates. Answer `n` if
you have access to a trusted CA and will sign your own certificates.
The output is a `.zip` file containing one directory each for both Elasticsearch
and Kibana:
[source,shell]
----
/elasticsearch
|_ README.txt
|_ http.p12
|_ sample-elasticsearch.yml
/kibana
|_ README.txt
|_ elasticsearch-ca.pem
|_ sample-kibana.yml
----
-- --
. Copy the node certificate to the appropriate locations. . Copy the node certificate to the appropriate locations.
@ -105,12 +127,12 @@ your security certificates. For example, create a `certs` folder in the
NOTE: The <<config-files-location,{es} configuration directory>> varies NOTE: The <<config-files-location,{es} configuration directory>> varies
depending on your {es} installation. depending on your {es} installation.
.. Copy the node certificates into the `certs` directory that you created in the .. On each node, copy the certificate that you created into the `/certs`
previous step. directory. This certificate is typically a single `.p12` (PKCS#12) file, such
as `elastic-certificates.p12`.
.. Copy the `.p12` keystore file into the {es} configuration directory. {es} .. If you generated HTTP certificates, copy the `http.p12` file into the
will fail to start if the keystore file is located anywhere except this `certs` directory as well.
directory.
.. For each additional Elastic product that you want to configure, copy the .. For each additional Elastic product that you want to configure, copy the
certificates to the relevant configuration directory. certificates to the relevant configuration directory.