In a secured cluster, Elasticsearch nodes use certificates to identify themselves when communicating with other nodes.
The cluster must validate the authenticity of these certificates. The recommended approach is to trust a specific certificate authority (CA). Thus when nodes are added to your cluster they just need to use a certificate signed by the same CA.
elasticsearch-certutilcommand to generate a CA and certificates and private keys for each node in your cluster.
You can let the tool prompt you for information about each node in your cluster, or you can supply that information in an input file. For example, create a
test-cluster.ymlfile in one of your Elasticsearch nodes:
namevalues match the values you specified for
elasticsearch.ymlfile, you can use a shortcut in a subsequent step.
In this tutorial, all three nodes exist on the same machine and share the same IP address and hostname. In general, clusters are more resilient when they contain nodes from multiple servers and this list would reflect that diversity.
For information about all of the possible fields in this file, see Using elasticsearch-certutil in silent mode.
Then run the following command:
./bin/elasticsearch-certutil cert --in test-cluster.yml --keep-ca-key
It prompts you for passwords to secure each output file.
Ideally, you should use a different password for each file and store the files securely—especially the CA, since it holds the key to your cluster.
certificate-bundle.zipfile. For example:
unzip certificate-bundle.zip Archive: certificate-bundle.zip creating: ca/ inflating: ca/ca.p12 creating: node-1/ inflating: node-1/node-1.p12 creating: node-2/ inflating: node-2/node-2.p12 creating: node-3/ inflating: node-3/node-3.p12
certificate-bundle.zipfile contains a folder for each of your nodes and a
cafolder contains a
ca.p12file, which is a PKCS#12 keystore. This file contains the public certificate for your certificate authority and the private key that is used to sign the node certificates.
Each node folder contains a single PKCS#12 keystore that includes a node certificate, node key, and CA certificate.
- Create a folder to contain certificates in the configuration
directory on each Elasticsearch node. For example, create a
certsfolder in the
configdirectory on each node.
- Copy the appropriate certificate to the configuration directory on each Elasticsearch
node. For example, copy the
node-1.p12file into the
config/certsdirectory on the first node. Copy the
node-2.p12file to the second node and the
node-3.p12to the third.
If you later add more nodes, they just need to use a certificate signed by the same CA. For this reason, make sure you store your CA in a safe place and don’t forget its password!
The certificate authority that you generated for this cluster.
The name of the generated certificate. Ideally this value matches the new
A comma-separated list of DNS names for the new node.
A comma-separated list of IP addresses for the new node.
The elasticsearch-certutil command has a lot more options. For example, it can generate Privacy Enhanced Mail (PEM) formatted certificates and keys. It can also generate certificate signing requests (CSRs) that you can use to obtain signed certificates from a commercial or organization-specific certificate authority. However, those options are not covered in this tutorial.