I want to use one CERTIFICATE for all ES nodes (es1.srv.com ,es2.srv.com , es3.srv.com )as well as KIBANA (es2.srv.com), I created a CSR like bellow:
[ dn ]
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = srv.com
That is working on all of my three nodes Elasticsearch and Kibana, but I get the following error in Kibana that the other two host names are not in alternative names, ( es1.srv.com and es3.srv.com )
I want to use domain name in SAN (alternative name ) to make ES expand-ability easier, in future if I want to add one more to ES cluster, I wont need to create a new certificate.
How can I use Domain name for certificate ?
Please keep in mind that this would mean that you need to share the same private key in all your nodes and kibana, and if one get's compromised TLS will be compromised for all.
This doesn't work exactly like that. Setting
srv.com as a SAN, doesn't work like a wildcard in itself so this doesn't cover anything under
*.srv.com . You need to add
*.srv.com to your alternative names ( assuming your CA allows that, some do and some don't ) .
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.