How to use DOMAIN NAME for CERTIFICATE, one certificate for entire cluster and adding more nodes without creating a new cert

Hi All,

I want to use one CERTIFICATE for all ES nodes ( , , )as well as KIBANA (, I created a CSR like bellow:

[ dn ]
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 =

That is working on all of my three nodes Elasticsearch and Kibana, but I get the following error in Kibana that the other two host names are not in alternative names, ( and )

I want to use domain name in SAN (alternative name ) to make ES expand-ability easier, in future if I want to add one more to ES cluster, I wont need to create a new certificate.

How can I use Domain name for certificate ?

Please keep in mind that this would mean that you need to share the same private key in all your nodes and kibana, and if one get's compromised TLS will be compromised for all.

This doesn't work exactly like that. Setting as a SAN, doesn't work like a wildcard in itself so this doesn't cover anything under * . You need to add * to your alternative names ( assuming your CA allows that, some do and some don't ) .

Thank you

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.