ElasticSearch X-pack documentation a good description on how to secure your ElasticSearch cluster using SSL/TLS.
I used certgen to generate certificates for all the nodes as below:
I used certgen to generate certificates for all the nodes as below:
- Create a instances.yml file:
vim /work/elk/elasticsearch-5.6.2/config/x-pack/instances.yml
instances: - name: "hostname-00" ip: - "192.126.0.163" - "192.0.2.2" - "198.51.100.1" dns: - "hostname-00" - "hostname-00.mydomain.name" - name: "hostname-01" ip: - "192.126.0.164" dns: - "hostname-01" - "hostname-01.mydomain.name" - name: "hostname-02" - name: "CN=hostname-03,C=GB,ST=Greater London,L=London,O=OrgName,OU=OrgUnit,DC=mydomain,DC=com" dns: - "hostname-03.mydomain.name" - "hostname-03.internal" - "hostname-03" - Run below command to generate a CA certificate and private key as well as certificates and private keys for the instances that are listed in the YAML file:
/work/elk/elasticsearch-5.6.2/bin/x-pack/certgen --days 3650 --keysize 2048 --in /work/elk/elasticsearch-5.6.2/config/x-pack/instances.yml --out /work/elk/elasticsearch-5.6.2/config/x-pack/certificate-bundle.zip cd /work/elk/elasticsearch-5.6.2/config/x-pack/ unzip certificate-bundle.zip -d ./certificate-bundle/
Please check certgen page for all available options.
- If you have already got CA certificate and key, then you can use it to sign all the generated certificates:
/work/elk/elasticsearch-5.6.2/bin/x-pack/certgen --days 3650 --keysize 2048 --in /work/elk/elasticsearch-5.6.2/config/x-pack/instances.yml --out /work/elk/elasticsearch-5.6.2/config/x-pack/certificate-bundle.zip --cert /work/elk/elasticsearch-5.6.2/config/x-pack/certificate-bundle/ca/ca.crt --key /work/elk/elasticsearch-5.6.2/config/x-pack/certificate-bundle/ca/ca.key
This comes in handy, when you later decide to add new nodes or clients to your cluster.
Comments