Trying to setup and secure a new cluster for first time with x-pack. Running 6.1.1 all around.
I generated my own ca.crt and ca.key using:
/usr/share/elasticsearch/bin/x-pack/certutil ca --ca-dn CN=Quasar --days 3650 -out ca.zip -v -pem
Then ran this to create my server certs and private keys:
/usr/share/elasticsearch/bin/x-pack/certutil cert --silent --in /tmp/cert_map.yaml --out /tmp/certs.zip --ca-cert ca/ca.crt --ca-key ca/ca.key
With yaml file contents:
instances:
- {dns: esdata1-01.shared.quasar.nadops.net, name: esdata1-01.shared.quasar.nadops.net}
- {dns: esdata1-02.shared.quasar.nadops.net, name: esdata1-02.shared.quasar.nadops.net}
- {dns: esmaster1-01.shared.quasar.nadops.net, name: esmaster1-01.shared.quasar.nadops.net}
- {dns: esmaster1-02.shared.quasar.nadops.net, name: esmaster1-02.shared.quasar.nadops.net}
- {dns: esmaster1-03.shared.quasar.nadops.net, name: esmaster1-03.shared.quasar.nadops.net}
The docs say:
This command generates a compressed test1.zip file. After you decompress the output file, there is a directory for each instance that was listed in the instances.yml file. Each instance directory contains a single PKCS#12 (.p12) file, which contains the instance certificate, instance private key, and CA certificate.
Which indicates there should be 3 files inside the keystore but there are only 2 files - the ca and my server private key but no server certificate:
[root@vmwdnaelastic01 tmp]# keytool -list -keystore ./esmaster1-02.shared.quasar.nadops.net/esmaster1-02.shared.quasar.nadops.net.p12
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
esmaster1-02.shared.quasar.nadops.net, Jan 15, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): 42:E2:33:CF:4C:5A:D4:CF:6F:06:0C:D1:12:37:DE:88:2E:08:3D:F1
ca, Jan 15, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 2A:C1:2A:A4:7B:3B:95:C1:ED:EF:3E:8E:F2:ED:76:E5:2C:CB:D3:23
Anyone with any idea as to why this is not working as advertised?
What I want to do is be able to generate one keystore per node, each with a unique server certificate named after the host name the node is running on. Per the docs, this keystore will have all that is needed - the server certificate and private key so that it can response to clients and the CA certificate so that it can validate any server certificate. Seems like a clean way to deploy but where is my server key?