I'm trying to run Elasticsearch with our own CA. Key and Cert are provide by our PKI-Team.
Changes in elasticsearch.yml:
network.host: 0.0.0.0 xpack.security.http.ssl: enabled: true keystore.path: certs/<keystore>.jks xpack.security.transport.ssl: enabled: true verification_mode: certificate keystore.path: certs/<keystore>.jks truststore.path: certs/<keystore>.jks
After change config, i have run:
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password /usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password systemctl restart elasticsearch.service curl --cacert <chainfile -u elastic 'https://<name>:9200/_cat/nodes?v' Enter host password for user 'elastic': ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role master name <ip> 3 75 0 0.00 0.00 0.00 cdfhilmrstw * <name>
If I want to generate a registration token with following command:
/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node --url https://<name>:9200
i get the error:
ERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration Keystore doesn't contain any PrivateKey entries where the associated certificate is a CA certificate
elasticsearch-create-enrollment-token can only be used with Elasticsearch clusters that have been auto-configured for security.
How can i generate an enrollment token with our own certificates?