Create more certs with same CA file using certgen utility


(Gaurav Mutreja) #1

I have created a set of certs, without DNS and IP. In the config of elastic search and config , I have set the ssl.verification.mode = certificate
in the elastic and Kibana configs. Things work fine.

But when I connect from any other client like spark , it is getting error that server name is required. So looks like either I need to disable the hostname verification in client if possible or new to generate certs with IP or DNS.

The problem with IP or DNS I am facing is , how do I add a new node in the cluster if required , I need to create a new cert for it which is signed by the same CA which is already in the cluster. I dont want to use mutiple CA's.

So the questions is how can we generate more certs for new nodes using the CA cert created for the existing cluster using certgen utility?


(Jason Bryan) #2

Have a look at certgen -h:

Option               Description
------               -----------
-E <KeyValuePair>    Configure a setting
--cert               path to an existing ca certificate
--csr                only generate certificate signing requests
--days <Integer>     number of days that the generated certificates are valid
--dn                 distinguished name to use for the generated ca. defaults
                       to CN=Elastic Certificate Tool Autogenerated CA
-h, --help           show help
--in                 file containing details of the instances in yaml format
--key                path to an existing ca private key
--keysize <Integer>  size in bits of RSA keys
--out                path of the zip file that the output should be written to
--pass               password for an existing ca private key or the generated
                       ca private key
-s, --silent         show minimal output
-v, --verbose        show verbose output

Use the --cert with the --key option to specify the CA when signing certificates for other nodes.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.