Manually-configured security in cluster

Hello,

I'm following the guide on how to manually set up security within a cluster. Am I right in thinking that the instructions tell the reader to copy the same transport certificate and key to every node in the cluster?

Is this the recommended security practice - to share one cert/key between multiple nodes? Surely each node should have its own certificates issued so that they can be revoked individually should a node be compromised?

Is there a similar guide for PEM-based certificates, please?

Yes the simple example is to copy to all you will also see a note that says

If you want to use hostname verification, set the verification mode to full. You should generate a different certificate for each host that matches the DNS or IP address. See the xpack.security.transport.ssl.verification_mode parameter in TLS settings.

But if you want you can just generate for each anyways.

If you look at the actual utility here:

You can use an instances file and define / create them all at once time

And there is a --pem flag as well to get .pem format

You basically just need to use the --pem parameter, this will create crt and key file.

I made a short tutorial on how to manually configure security on a cluster a couple of time ago, maybe this help.

Elasticsearch doesn't support revocation lists, so if you have a compromised node then you will need to re-key the whole cluster, even if you had separate certificates per node.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.