If you work in an environment with a central security team, they can likely generate a certificate for you. Infrastructure within your organization might already be configured to trust an existing CA, so it may be easier for clients to connect to Elasticsearch if you use a CSR and send that request to the team that controls your CA. To use a central CA, answer y to the first question.
The documentation you linked is for configuring TLS for the HTTP interface, i.e. it is for settings begin with xpack.security.http.ssl.XXX. You probably want to re-evaluate whether you want to apply the same certs/keys for the transport interface.
You can generate the p12 file from PEM format private key and signed cert in different ways. One of them is to use the standard openssl tool with a command like:
Thank you for your help, I was able to get Elasticsearch running, but when I tried to created an enrollment token for another node, I get the error below. Is it the problem with the certificate,
not finding the hostname or the IP address. The log has been modified to removed personal information.
$ sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node
13:57:16.246 [main] WARN org.elasticsearch.common.ssl.DiagnosticTrustManager - failed to establish trust with server at [10.*.*.106]; the server provided a certificate with subject name [CN=*.demo.ca,OU=ADM-IM/JDCP,O=ND-DN Cloud Intranet,L=***wa,ST=***io,C=CA], fingerprint [f3c*************4ed6f], keyUsage [digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment] and extendedKeyUsage [serverAuth]; the session uses cipher suite [TLS_AES_256_GCM_SHA384] and protocol [TLSv1.3]; the certificate has subject alternative names [DNS:*.demo.ca,DNS:demo.ca,DNS:*.cloud.demo.ca]; the certificate is issued by [CN=example-CA-Authority] but the server did not provide a copy of the issuing certificate in the certificate chain; this ssl context ([xpack.security.http.ssl (with trust configuration: Composite-Trust{JDK-trusted-certs,PEM-trust{/etc/elasticsearch/certs/*base64.cer}})]) is not configured to trust that issuer but trusts [90] other issuers
java.security.cert.CertificateException: No subject alternative names matching IP address 10.*.*.106 found
I was able to get rid of the error with adding "xpack.security.http.ssl.verification_mode: certificate" now having a different error message. How would I created a keystore for the configuration.
$ sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node
Unable to create enrollment token for scope [node]
ERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration is not configured with a keystore
The enrollment token was designed to work with auto-configured security. It is possible to get it work with manually configured security. But you'll have to understand the details. The current problem you are having is that generating enrollment token expects the HTTP TLS configuration to be configured with keystore, not pem files. So you need create the pkcs12 files.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.