Setting Up TLS on a Cluster

X-Pack security enables you to encrypt traffic to, from, and within your Elasticsearch cluster. Connections are secured using Transport Layer Security (TLS), which is commonly referred to as "SSL".


Clusters that do not have encryption enabled send all data in plain text including passwords and will not be able to install a license that enables X-Pack security.

The following steps describe how to enable encryption across the various components of the Elastic Stack. You must perform each of the steps that are applicable to your cluster.

  1. Generate a private key and X.509 certificate for each of your Elasticsearch nodes. See Generating Node Certificates.
  2. Configure each node in the cluster to identify itself using its signed certificate and enable TLS on the transport layer. You can also optionally enable TLS on the HTTP layer. See Encrypting Communications Between Nodes in a Cluster and Encrypting HTTP Client Communications.
  3. Configure X-Pack monitoring to use encrypted connections. See Monitoring and Security.
  4. Configure Kibana to encrypt communications between the browser and the Kibana server and to connect to Elasticsearch via HTTPS. See Configuring Security in Kibana.
  5. Configure Logstash to use TLS encryption. See Configuring Security in Logstash.
  6. Configure Beats to use encrypted connections. See Beats and Security.
  7. Configure the Java transport client to use encrypted communications. See Java Client and Security.
  8. Configure Elasticsearch for Apache Hadoop to use secured transport. See Elasticsearch for Apache Hadoop Security.