Manually-configured security in cluster


I'm following the guide on how to manually set up security within a cluster. Am I right in thinking that the instructions tell the reader to copy the same transport certificate and key to every node in the cluster?

Is this the recommended security practice - to share one cert/key between multiple nodes? Surely each node should have its own certificates issued so that they can be revoked individually should a node be compromised?

Is there a similar guide for PEM-based certificates, please?

Yes the simple example is to copy to all you will also see a note that says

If you want to use hostname verification, set the verification mode to full. You should generate a different certificate for each host that matches the DNS or IP address. See the parameter in TLS settings.

But if you want you can just generate for each anyways.

If you look at the actual utility here:

You can use an instances file and define / create them all at once time

And there is a --pem flag as well to get .pem format

You basically just need to use the --pem parameter, this will create crt and key file.

I made a short tutorial on how to manually configure security on a cluster a couple of time ago, maybe this help.

Elasticsearch doesn't support revocation lists, so if you have a compromised node then you will need to re-key the whole cluster, even if you had separate certificates per node.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.