How to create node certificate for Elasticsearch

I am using elastic cloud. I have a microservice which connect with elasticsearch cloud with rest api. I want to add SSL to enhance security.

From the documentation, one of the first step is to generate Certificate Authority for each node of cluster. Could someone let me know how to access node to run command bin/elasticsearch-certutil. I am new to ES so I have no idea how to SSH to server.

Thanks a lot.

If you are using Elastic Cloud then it's already got TLS enabled by default, you don't need to do anything other than use the HTTPS port (9243).

Thanks @warkolm.

My purpose is to secure the API connection. Currently I am only use basic auth with username and password to connect from client. I already test the client connection with https and it works fine with basic auth.
If TLS is already enabled, how could I restrict the connection to only the application I am building. If I generate a self-signed certificate from client, what I need to change in server configuration to match.

FYI, I try to add this snippet to elasticsearch.yml but failed to update. The error is not allowed : true  /home/es/config/node01.key /home/es/config/node01.crt [ "/home/es/config/ca.crt" ]

API connections to Elastic Cloud are secured by default. SSL is automatically enabled, and a username + password is required.
What exactly are you looking to do on top of that?

That depends on how your application works. Typically you would create a new user for your appllication, and that user's password would be the protection you're after.

Correct. Because Elastic Cloud comes with SSL already enabled, it is not possible to reconfigure this.

Thanks @TimV
Yes, I am using a new user and password with certain permissions.
I just concern if someone has username&password, they can modify the existing elastic search via API call. Or perhaps I am running the application in localhost testing with the existing credentials by mistake.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.