78 lines
3.0 KiB
Plaintext
78 lines
3.0 KiB
Plaintext
[role="xpack"]
|
|
[testenv="basic"]
|
|
[[encrypting-communications-certificates]]
|
|
=== Generate certificates
|
|
|
|
In a secured cluster, {es} nodes use certificates to identify themselves when
|
|
communicating with other nodes.
|
|
|
|
The cluster must validate the authenticity of these certificates. The
|
|
recommended approach is to trust a specific certificate authority (CA). Thus
|
|
when nodes are added to your cluster they just need to use a certificate signed
|
|
by the same CA.
|
|
|
|
. Generate a certificate authority for your cluster.
|
|
+
|
|
--
|
|
Run the following command:
|
|
|
|
["source","sh",subs="attributes,callouts"]
|
|
----------------------------------------------------------------------
|
|
./bin/elasticsearch-certutil ca
|
|
----------------------------------------------------------------------
|
|
|
|
You are prompted for an output filename and a password. In this tutorial, we'll
|
|
use the default filename (`elastic-stack-ca.p12`).
|
|
|
|
The output file is a PKCS#12 keystore that contains the public certificate for
|
|
your certificate authority and the private key that is used to sign the node
|
|
certificates.
|
|
|
|
TIP: We'll need to use this file again when we add nodes to the cluster, so
|
|
remember its location and password. Ideally you should store the file securely,
|
|
since it holds the key to your cluster.
|
|
|
|
For more information about this command, see
|
|
{ref}/certutil.html[elasticsearch-certutil].
|
|
--
|
|
|
|
. Create a folder to contain certificates in the configuration directory of your
|
|
{es} node. For example, create a `certs` folder in the `config` directory.
|
|
|
|
. Generate certificates and private keys for the first node in your cluster.
|
|
+
|
|
--
|
|
Run the following command:
|
|
|
|
["source","sh",subs="attributes,callouts"]
|
|
----------------------------------------------------------------------
|
|
./bin/elasticsearch-certutil cert \
|
|
--ca elastic-stack-ca.p12 \ <1>
|
|
--dns localhost \ <2>
|
|
--ip 127.0.0.1,::1 <3>
|
|
--out config/certs/node-1.p12 <4>
|
|
----------------------------------------------------------------------
|
|
<1> The `--ca` parameter contains the name of certificate authority that you
|
|
generated for this cluster.
|
|
<2> The `--dns` parameter contains a comma-separated list of DNS names for the
|
|
node.
|
|
<3> The `--ip` parameter contains a comma-separated list of IP addresses for the
|
|
node.
|
|
<4> The `--out` parameter contains the name and location of the generated
|
|
certificate. Ideally the file name matches the `node.name` value in the
|
|
`elasticsearch.yml` file.
|
|
|
|
You are prompted to enter the password for your CA. You are also prompted to
|
|
create a password for the certificate.
|
|
|
|
The output file is a PKCS#12 keystore that includes a node certificate, node key,
|
|
and CA certificate.
|
|
--
|
|
|
|
TIP: The {ref}/certutil.html[elasticsearch-certutil] command has a lot more
|
|
options. For example, it can generate Privacy Enhanced Mail (PEM) formatted
|
|
certificates and keys. It can also generate certificate signing requests (CSRs)
|
|
that you can use to obtain signed certificates from a commercial or
|
|
organization-specific certificate authority. However, those options are not
|
|
covered in this tutorial.
|