From version 5.0 onward, Shield is part of X-Pack. For more information, see Securing the Elastic Stack.
Elastic Docs Shield - Elasticsearch Security Plugin [1.0] Securing Nodes
« Create a certificate signing request Configure the keystores and enable SSL »

Install the newly signed certificateedit

Replace the existing unsigned certificate by importing the new signed certificate from your CA into the node keystore:

keytool -importcert                       \
        -keystore   node01.jks            \
        -file       node01-signed.crt     \ 
        -alias      node01

This name of the signed certificate file that you received from the CA.

The alias must be the same as the alias that you used in Generate a node private key and certificate.

keytool confuses some PEM-encoded certificates with extra text headers as DER-encoded certificates, giving this error: java.security.cert.CertificateParsingException: invalid DER-encoded certificate data. The text information can be deleted from the certificate. The following openssl command will remove the text headers:

openssl x509 -in node01-signed.crt -out node01-signed-noheaders.crt
« Create a certificate signing request Configure the keystores and enable SSL »