Create a CA Certificate

In the ca directory, create the CA certificate and export the certificate. The following command creates and signs the CA certificate, resulting in a self-signed certificate that establishes the CA as an authority.

openssl req -new -x509 -extensions v3_ca     \
       -keyout private/cakey.pem             \ 
       -out certs/cacert.pem                 \ 
       -days 1460                            \ 
       -config conf/caconfig.cnf

The path to the file where the private key is stored.

The path to the file where the CA certificate is stored.

The duration, in days, that the CA certificate is valid. After the expiration, trust in the CA is revoked and requires generation of a new CA certificate and re-signing of certificates.

The command prompts you to supply information to place in the certificate. You will have to pick a PEM passphrase to encrypt the private key for your CA.


You cannot recover the CA without this passphrase.

The following shows a sample interaction with the command above:

openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out certs/cacert.pem -days 1460 -config \
Generating a 2048 bit RSA private key
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Organization Name (company) [Elasticsearch Test Org]:
Organizational Unit Name (department, division) []:.
Email Address [cacerttest@YOUR.COMPANY.TLD]:.
Locality Name (city, district) [Amsterdam]:.
State or Province Name (full name) [Amsterdam]:.
Country Name (2 letter code) [NL]:.
Common Name (hostname, IP, or your name) []:Elasticsearch Test CA

You now have a CA private key and a CA certificate (which includes the public key). You can now distribute the CA certificate and sign CSRs.

Signing a CSR

Signing a certificate with the CA means that the CA vouches for the owner of the certificate. The private key that is linked to the certificate proves certificate ownership. The CSR includes the certificate. Signing a CSR results in a new certificate that includes the old certificate, the CA certificate, and a signature. This resulting certificate is a certificate chain. Send the certificate chain back to the private key’s holder for use on the node.


If you do not yet have a CSR, you need to follow the steps described in Generate a node private key and certificate and Create a certificate signing request before continuing.

The following commands sign the CSR with the CA:

openssl ca -in node01.csr -notext -out node01-signed.crt -config conf/caconfig.cnf -extensions v3_req

The newly signed certificate chain node01-signed.crt can now be sent to the node to be imported back into its keystore.


If you plan on allowing more than one certificate per common name, OpenSSL must be configured to allow non-unique subjects. This is necessary when running multiple nodes on a single host and requesting unique certificates per node. Edit the ca/index.txt.attr file and ensure the unique_subject line matches below:

unique_subject = no

These steps provide you with a basic CA that can sign certificates for your Shield nodes.

OpenSSL is an extremely powerful tool and there are many more options available for your certification strategy, such as intermediate authorities and restrictions on the use of certificates. There are many tutorials on the internet for these advanced options, and the OpenSSL website details all the intricacies.