I've used this documentation to encrypt the communication in the ELK (7.4.0) cluster: https://www.elastic.co/blog/configuring-ssl-tls-and-https-to-secure-elasticsearch-kibana-beats-and-logstash
especially this command:
bin/elasticsearch-certutil cert ca --pem --in ~/tmp/cert_blog/instance.yml --out ~/tmp/cert_blog/certs.zip
The output of it is a zip file, which contains key/crt for every node and root ca.crt (without ca.key)
Now i would like to create new key/crt for a filebeat instance, but I can't because ca.key is required (read her: https://www.elastic.co/guide/en/elasticsearch/reference/current/certutil.html), but it has not been created.
How can I now create new certificates for new nodes?
I'm afraid that you can't.
The instructions that you followed do not keep a copy of the CA key, so it is not possible to add new certificates.
I'll see what I can do to update that blog post with a warning, or additional instructions to retain the CA key, because I do not recommend creating a throw-away CA like that.
Thank you for the reply. It means to me that I have to recreate the CA (now with --keep-ca-key parameter) and certificates/keys and exchange all certificates and keys on the ELK nodes.
After that i can use ca.crt and ca.key file to create new certificates/keys for example for beats or new cluster nodes.
Can you explain why you "do not recommend creating a throw-away CA like that".
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.