Hi everyone!
I need help with securing my ELK stack on Windows using our internal CA. From what I understand, the new release of Elastic allow us to secure communications (certificates) without needing X-Pack license. Before I proceed, is this accurate?
Assuming it is, there is little documentation from how to use this in a windows cluster with an internal CA (required to use, instead of self-signed). I tried to walk myself through the process in my test environment and here is what I have done:
I used the "certutil.bat csr" - this generated a zip file that I was able to retrieve.
I used the csr and requested the cert. My Internal CA provided me with the certificate and chain.
Upon inspection, the certificate is issued to "instance" (because I did not add any flags).
At this point, the certificate is issued to the instance itself (i.e. "instance" as the instance name) or the server name "elkserver". Can we define both, as in "instance" in elkserver1, and "instance" on elkserver2 (maybe with SANs). This is to determine whether or not I could leverage the certs issued to the servers themselves.
What I would like to accomplish is the following:
3 ES servers (2 for data, 1 mainly for Kibana)
1 Logstash server for ingesting Beats
All ES and Logstash interfaces need to be secured.
All client servers (Windows) should send secure Beats information to Logstash.
Does every server need to send a CSR to my Internal CA?
Does each node have to generate a csr, or can 1 certificate be used on all 3 nodes, since it is issued to the instance?
Assuming that that I need to send Beats data, does the client server need to generate a CSR?
Can they leverage its existing server certificate?
What are the actual steps that need to be performed on this Windows environment?
Any help will be extremely appreciated. Thanks!