Configure SSL/TLSedit

By default, Enterprise Search does not enable TLS (Transport Layer Security).

To enable SSL/TLS, set the following configuration settings:

ent_search.ssl.enabled: true
ent_search.ssl.keystore.path: "/path/to/keystore.jks"
ent_search.ssl.keystore.password: "changeme"
ent_search.ssl.keystore.key_password: "changeme"
ent_search.external_url: https://localhost:3002

Create the Java KeyStoreedit

In the above example, keystore.jks is a Java KeyStore file.

Create a Java KeyStore file using the keytool utility, which is included with the JVM. If you are using the Elastic provided Docker image, the keytool utility is available at /etc/alternatives/keytool within the container. See keytool - Key and Certificate Management Tool in the Java documentation.

For example, to create a self-signed certificate and add it to a keystore for use with a server running on localhost, run:

keytool -genkey -alias server-alias -keyalg RSA \
  -storepass changeme -keypass changeme -keystore keystore.jks \
  -dname 'CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown'

Note that the values used in -keypass changeme and -storepass changeme correspond directly to the values that must be set for ent_search.ssl.keystore.key_password and ent_search.ssl.keystore.password, respectively.

Please note: In a production scenario, you will need a public certificate signed by a trusted Certificate Authority.

Hosting on the default HTTPS portedit

In addition to the above instructions, you may want to avoid having your users specify a port number when visiting Enterprise Search. In order to allow your users to make use of HTTPS only, you can set:

ent_search.listen_port: 443
ent_search.ssl.redirect_http_from_port: 80

This will bind your server to port 443 (the default HTTPS traffic port), and will ensure that traffic routed to port 80 (the default HTTP port) will redirect to 443. This ensures that any visitor to will make use of TLS.


  • java.lang.ClassCastException: org.bouncycastle.asn1.DERApplicationSpecific cannot be cast to org.bouncycastle.asn1.ASN1Sequence

This error may occur if you’re using a legacy configuration that specifies keys and certificates separately, and it is a known JRuby bug: It is recommended that you use a Java KeyStore file as explained above. If this is not possible, endeavor to remove the "Bag Attributes" from your keyfile. This can be done by generating your keyfile like:

openssl pkcs12 -in keystore.p12  -nodes -nocerts -passin pass:changeme | openssl rsa -out my_store.key

You can also manually remove the "Bag Attributes" portion of your keyfile with a text editor.