How to use the http.p12, http_ca.crt and transport.p12 generated by elasticsearch when run as a single node

I am trying to enable HTTPS on my elk-stack. While I am able to do so using the following link.

Configuring ssl,tls and https

However, When we run elasticsearch as a single node it generates some default certificates which we can find by getting inside the container as shown below.

image

My question is how can we use these certs and keys to enable HTTPS on elasticsearch also is it possible to use the same key and cert for kibana, logstash, and beats for secure communication over HTTPS?

Note: I am running elk stack in docker and using the latest version.

Hi,

As you can see in the document you pointed out to, you can see some https settings in the elasticsearch.yml file.

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: certs/self-signed-withdns/elasticsearch-singlenode/elasticsearch-singlenode.key
xpack.security.http.ssl.certificate: certs/self-signed-withdns/elasticsearch-singlenode/elasticsearch-singlenode.crt
xpack.security.http.ssl.certificate_authorities: certs/self-signed-withdns/ca/ca.crt

Those settings help you enable the https security to your cluster.

I would suggest you follow the Elastic documentation as it's easy and the below doc would answer all your questions.

Install Elasticsearch on Docker

Setup basic security

Setup basic security plus HTTPS

Thank you for your response. I have already enabled https using the medium link but I am confused about the certificates generated by elasticsearch when I run elasticsearch using docker run command it generates those three certificates as mention in the title of the topic as well as shown in the image. The medium link provides a different way to enable https. I am asking how can I use the certificates generated by elasticsearch to enable https. i.e http_ca.crt , transport.p12 and http.p12

Got you.

So basically, if you follow the elastic document given by me, or the 3 certificates which are generated for you are the certificates which are self signed by elastic.

And the way it's shown in the medium is also the same but using a .yml file or you can say using a configuration file.

Both are generated using the elasticsearch-certutil only if you see the command.

sudo bash /usr/share/elasticsearch/bin/elasticsearch-certutil cert --days 1825 --keep-ca-key --pem --in instance.yml --out self-signed-elastic-stack.zip

Basically this type of generation is used when you want to give a custom name to the cert file or when you wanted to add multiple dns names in the cert or when you need to generate .csr files and get them signed by other Signing Autorities.

As of now, as you've enabled https, that should be fine.

The generated certs can be ignored in your case currently.