diff --git a/_security/configuration/generate-certificates.md b/_security/configuration/generate-certificates.md index b44f82f5..416df4b8 100755 --- a/_security/configuration/generate-certificates.md +++ b/_security/configuration/generate-certificates.md @@ -207,11 +207,13 @@ Then copy and paste the output into `opensearch.yml`. This process generates many files, but these are the ones you need to add to each node: - `root-ca.pem` -- `admin.pem` -- `admin-key.pem` +- (Optional) `admin.pem` +- (Optional) `admin-key.pem` - (Optional) `node1.pem` - (Optional) `node1-key.pem` +For most users, the `admin.pem` and `admin-key.pem` files only need to be added to the nodes you plan to run the `securityadmin` script or reload certificates from. For information about how to use the `securityadmin` script, see [Applying changes to configuration files]({{site.url}}{{site.baseurl}}/security/configuration/security-admin/). If you intend to run the `securityadmin` script directly from a node, that node will need to have a copy of `admin.pem` and `admin-key.pem` on it. + On one node, the security configuration portion of `opensearch.yml` might look like this: ```yml @@ -232,12 +234,6 @@ plugins.security.nodes_dn: For more information about adding and using these certificates in your own setup, see [Configuring basic security settings]({{site.url}}{{site.baseurl}}/install-and-configure/install-opensearch/docker/#configuring-basic-security-settings) for Docker, [Configure TLS certificates]({{site.url}}{{site.baseurl}}/security/configuration/tls/), and [Client certificate authentication]({{site.url}}{{site.baseurl}}/security/configuration/client-auth/). - -## Run securityadmin.sh - -After configuring your certificates and starting OpenSearch, run `securityadmin.sh` to initialize the Security plugin. For information about how to use this script, see [Applying changes to configuration files]({{site.url}}{{site.baseurl}}/security/configuration/security-admin/). - - ## OpenSearch Dashboards For information on using your root CA and a client certificate to enable TLS for OpenSearch Dashboards, see [Configure TLS for OpenSearch Dashboards]({{site.url}}{{site.baseurl}}/install-and-configure/install-dashboards/tls/).