Now that you’ve generated a certificate authority and certificates for each node, you must update your cluster to use these files.
Stop each Elasticsearch node. For example, if you installed Elasticsearch from an archive
Ctrl-Con the command line. See Stopping Elasticsearch.
On each node, enable Transport Layer Security (TLS/SSL) for transport (internode) communications. You must also configure each node to identify itself using its signed certificate.
For example, add the following settings in each
If the file name for your certificate does not match the
node.namevalue, you must put the appropriate file name in each
The PKCS#12 keystore that is output by the
elasticsearch-certutilcan be used as both a keystore and a truststore. If you use other tools to manage and generate your certificates, you might have different values for these settings, but that scenario is not covered in this tutorial.
For more information about these settings, see Transport TLS settings.
On each node, store the password for PKCS#12 file in the Elasticsearch keystore.
For example, run the following commands on each node:
If the Elasticsearch keystore already exists, this command asks whether you want to overwrite it. You do not need to overwrite it; you can simply add settings to your existing Elasticsearch keystore.
You are prompted to supply the password value. As you saw in the previous step, we are using the same file for both the transport TLS keystore and truststore, therefore you supply the same password for both of these settings.
Start each Elasticsearch node. For example, if you installed Elasticsearch with a
.tar.gzpackage, run the following command from each Elasticsearch directory:
(Optional) Restart Kibana. For example, if you installed Kibana with a
.tar.gzpackage, run the following command from the Kibana directory:
Verify that your cluster is healthy. For example, use the cluster health API:
statusof your cluster is
greenin the response from this API.
If you encounter errors, you can see some common problems and solutions in Common SSL/TLS exceptions.
Congratulations! You’ve encrypted communications between the nodes in your cluster and can pass the TLS bootstrap check.
If you want to encrypt communications between other products in the Elastic Stack, see Encrypting communications.