Certgen instances.yaml


If I run certgen in silent mode and set all my nodes up in the instances.yaml file is that all I need to do to get the inter-node communication encrypted in the cluster?

Do I only need to run certgen on a single node as long as the instances.yaml file has information about all the nodes?


If your instances.yml has covered all your nodes, then you don't need to run certgen again.

Generally, speaking you should only run certgen on a single node, as it generates its own CA, and you need all the node certificates to be signed by that CA (and copying the CA key to all your nodes isn't a great idea).
You can generate multiple certs at once as you have done, or run it multiple times to generate a single node (but using the same CA each time), but just run it from 1 server.

is that all I need to do

You also need to make changes to elasticsearch.yml (which I assume you know, but it's good to make sure)

After I generate the certs do I need to move them to each node or does certgen take care of that as well? Are the steps:

  1. Create the instances.yml file

  2. run certgen on a single node against the file

  3. Change the elasticsearch.yml on that node

Yes, you need to manually copy the appropriate certificates and keys to each server and update elasticsearch.yml for every node.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.