Elastic Search 8.6.2 SSL enabled with 3rd party certificate

I have a single instance of Elastic Search 8.6.2 installed on a redhat server. No cloud, No docker and single node, very simple install. We need SSL enabled and configured to use a 3rd party certificate we can't use Elasticsearch self-signed certificate. Could someone please point me in the documentation of Elastic Search for this configuration. Thanks

Hi @neil.maffitt

Just generate your certs and then make them available and configure and use them. I used lets encrypt below works fine for HTTPS interface. Note it is still recommended to use self-signed for transport or at least use separate certs etc.

All the settings are HTTP here and Transport Here

# Enable security features
xpack.security.enabled: true

  enabled: true
  certificate: certs/fullchain.pem <!--- Lets Encrypt
  key: certs/privkey.pem

# Enable encryption and mutual authentication between cluster nodes
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12 <!- Self Signed
  truststore.path: certs/transport.p12

Thank you for the quick response. Sorry should have mentioned we can't use http interface. We can only use https and nothing self-signed

Sorry when I say HTTP I mean HTTP(s)

That example above is HTTPS!

For the transport, you can absolutely use your own certs we just recommend to use separate certs.

Generate your certs, put them in the config folders, make sure they are readable and properly config. Support PEM and P12s

No rocket science just normal cert magic :slight_smile:

ok will give it a try and let you know how it goes. thanks

to be clear this enables SSL on the HTTP REST Interface
We call it the HTTP interface as transport is binary.
So technically you enable SSL on the HTTP interface
Hope that makes sense

yep that makes sense. My goal is to make a curl call using https protocol call to Elasticsearch like this

curl --location --request GET 'https://servername:9200/engine-int/_search?pretty' --header 'Content-Type: application/json' --header 'Authorization: Basic <base64 user:password>' --data '{
    "query": {
        "match_all": {}

For http this is working I need it to work https

Yup ... I use let's encrypt certs and do it all the time.

If you have your own CA it will need to be trusted by your client apps / curl etc

One last question, I hope :slight_smile: does user elasticsearch need to be the owner of the pem files in the cert/ directory? Thank

They need to be readable by the elasticsearch process, you chose your least privilege model

Once I got by the file privileges. It is WORKING . Thank you for your help.

sorry spoke to soon
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

Not working

So you are using your own CA not public CA.

Try this...

curl -v -u elastic --cacert /fullpathtoCA.pem https://elastichost:9200

Your clients will need your CA or it will needed to be added to the clients host CA trust store.

Nothing unusual/ elasticsearch special about this... All Normal cert stuff would be exactly the same if you were using Apache or Nginx.

I create a CSR uploaded to CA
Certificate was created and "Download Certificate mv (w/ chain), PEM encoded by Setigo"
filename setigo.cer
This not working
curl -v -u elastic:password --cacert /etc/elastic/cert/setigo.cer https://elastichost:9200

The client in this case is curl on remote host

First please always show the comand AND response, can't help you without responses.

This needs to be the CA, not the cert.

--cacert /etc/elastic/cert/setigo.cer

Get your cert expert to get you the CA

So yes they will need the CA or that CA will need to be part of that host CA Truststore

OR you can run curl --insecure or -k which does not validate the cert and is not recommended.

Sorry about that this was the response.

From above in thread you wrote
"Generate your certs, put them in the config folders, make sure they are readable and properly config. Support PEM and P12s"

So in Elasticsearch yml has reference to pem encoded cert.
and curl command line --cacert needs to be the CA

Not sure what this "This needs to be the CA" means but I guess that is why you suggested "Get your cert expert to get you the CA" Thank you

A CA is a Certificate Authority little explanation.

I assumed CA was for Cert Authority I don't under stand your comment in the context of a curl command.

Did you mean the CA store file for the host and not the setigo.cer file?