[[enable-ssl]] ==== Enabling TLS on {es} Nodes Once you have the signed certificate, private key, and CA certificate you need to modify the node configuration to enable Transport Layer Security (TLS/SSL). . Specify the information required to access the node's certificate. ** If the certificate is in PKCS#12 format, add the following information to the `elasticsearch.yml` file on each node: + -- [source,yaml] ----------------------------------------------------------- xpack.ssl.keystore.path: certs/elastic-certificates.p12 <1> xpack.ssl.truststore.path: certs/elastic-certificates.p12 <2> ----------------------------------------------------------- <1> If you created a separate certificate for each node, then you might need to customize this path on each node. If the filename matches the node name, you can use the `certs/${node.name}.p12` format, for example. <2> The `certutil` output includes the CA certificate inside the PKCS#12 keystore, therefore the keystore can also be used as the truststore. This name should match the `keystore.path` value. -- ** If the certificate is in PEM format, add the following information to the `elasticsearch.yml` file on each node: + -- [source, yaml] -------------------------------------------------- xpack.ssl.key: /home/es/config/x-pack/node01.key <1> xpack.ssl.certificate: /home/es/config/x-pack/node01.crt <2> xpack.ssl.certificate_authorities: [ "/home/es/config/x-pack/ca.crt" ] <3> -------------------------------------------------- <1> The full path to the node key file. This must be a location within the {es} configuration directory. <2> The full path to the node certificate. This must be a location within the {es} configuration directory. <3> An array of paths to the CA certificates that should be trusted. These paths must be a location within the {es} configuration directory. -- . If you secured the node's certificate with a password, add the password to your {es} keystore: + -- [source,shell] ----------------------------------------------------------- bin/elasticsearch-keystore add xpack.ssl.keystore.secure_password bin/elasticsearch-keystore add xpack.ssl.truststore.secure_password ----------------------------------------------------------- -- . Enable TLS on the transport networking layer to ensure that communication between nodes is encrypted. Make the following changes in `elasticsearch.yml`: + -- [source, yaml] -------------------------------------------------- xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate <1> -------------------------------------------------- <1> If you used the `--dns` or `--ip` options with the `certutil cert` command and you want to enable strict hostname checking, set the verification mode to `full`. -- . Optional: Enable TLS on the HTTP layer to ensure that communication between HTTP clients and the cluster is encrypted. + -- NOTE: Enabling TLS on the HTTP layer is strongly recommended but is not required. If you enable TLS on the HTTP layer in {es}, then you might need to make configuration changes in other parts of the Elastic Stack and in any {es} clients that you use. Make the following changes in `elasticsearch.yml`: [source, yaml] -------------------------------------------------- xpack.security.http.ssl.enabled: true -------------------------------------------------- -- . Restart {es}. + -- You must perform a full cluster restart. Nodes which are configured to use TLS cannot communicate with nodes that are using unencrypted networking (and vice-versa). After enabling TLS you must restart all nodes in order to maintain communication across the cluster. -- NOTE: All TLS-related node settings are considered to be highly sensitive and therefore are not exposed via the {ref}/cluster-nodes-info.html#cluster-nodes-info[nodes info API] For more information about any of these settings, see <>. For information about configuring other products in the Elastic Stack, see {xpack-ref}/ssl-tls.html[Setting Up TLS on a Cluster].