How to use DOMAIN NAME for CERTIFICATE, one certificate for entire cluster and adding more nodes without creating a new cert

mhsh64 · September 3, 2019, 3:25pm

Hi All,

I want to use one CERTIFICATE for all ES nodes (es1.srv.com ,es2.srv.com , es3.srv.com )as well as KIBANA (es2.srv.com), I created a CSR like bellow:

[ dn ]
C=US
ST=LA
L=TEST
O=SOMETHING
OU=SOMETHING
CN=es2.srv.com
 
[ req_ext ]
subjectAltName = @alt_names
 
[ alt_names ]
DNS.1 = srv.com

That is working on all of my three nodes Elasticsearch and Kibana, but I get the following error in Kibana that the other two host names are not in alternative names, ( es1.srv.com and es3.srv.com )

I want to use domain name in SAN (alternative name ) to make ES expand-ability easier, in future if I want to add one more to ES cluster, I wont need to create a new certificate.

How can I use Domain name for certificate ?

ikakavas · September 9, 2019, 3:03pm

Please keep in mind that this would mean that you need to share the same private key in all your nodes and kibana, and if one get's compromised TLS will be compromised for all.

This doesn't work exactly like that. Setting srv.com as a SAN, doesn't work like a wildcard in itself so this doesn't cover anything under *.srv.com . You need to add *.srv.com to your alternative names ( assuming your CA allows that, some do and some don't ) .

mhsh64 · September 9, 2019, 4:55pm

Thank you

system · October 7, 2019, 4:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.