From version 5.0 onward, Shield is part of X-Pack. For more information, see Securing the Elastic Stack.
Elastic Docs Shield - Elasticsearch Security Plugin [1.2] Securing Nodes
« Generate a node private key and certificate Install the newly signed certificate »

Create a certificate signing requestedit

The next step is to get the node certificate signed by your CA. To do this you must generate a Certificate Signing Request (CSR) with the keytool -certreq command:

keytool -certreq                   \
        -alias      node01         \ 
        -keystore   node01.jks     \
        -file       node01.csr     \
        -keyalg     rsa            \
        -ext san=dns:node01.example.com,ip:192.168.1.1

The same alias that you specified when creating the public/private key-pair in Generate a node private key and certificate.

The SubjectAlternativeName list for this host. The -ext parameter is optional and can be used to specify additional DNS names and IP Addresses that the certificate will be valid for. Multiple DNS and IP entries can be specified by separating each entry with a comma. If this option is used, all names and ip addresses must be specified in this list.

The resulting file — node01.csr — is your Certificate Signing Request, or CSR file.

Send the signing requestedit

Send the CSR file to the Certificate Authority for signing. The Certificate Authority will sign the certificate and return a signed version of the certificate. See Signing a CSR if you are running your own Certificate Authority.

When running multiple nodes on the same host, the same signed certificate can be used on each node or a unique certificate can be requested per node if your CA supports multiple certificates with the same common name.

« Generate a node private key and certificate Install the newly signed certificate »