ES 7.1 Cross cluster search and TLS

I have two ES 7.1 clusters with TLS enabled and they are working fine as separate clusters. I am trying to configure cross-cluster search between both clusters. The documentation states:

Enable a trust relationship between the cluster used for performing cross cluster search (the local cluster) and all remote clusters. This can be done either by:

  • Using the same certificate authority to generate certificates for all connected clusters, or
  • Adding the CA certificate from the local cluster as a trusted CA in each remote cluster (see Transport TLS settings).

I've used elasticsearch-certutil cert to generate the certs on both clusters.

Can I just copy the cert file from cluster 1 to cluster 2 to satisfy option 1 above ?
If I keep two different certificates for each cluster like I currently have, what will the configuration look like for option 2 ?

Assuming your certs are not tied to a specific IP/DNS name then that should work fine.

If you want to use option 2, then you would need to extract the CA from each cluster and copy it into the PKCS#12 file for the other cluster.
keytool can do that for you.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.