I'm following the guide on how to manually set up security within a cluster. Am I right in thinking that the instructions tell the reader to copy the same transport certificate and key to every node in the cluster?
Is this the recommended security practice - to share one cert/key between multiple nodes? Surely each node should have its own certificates issued so that they can be revoked individually should a node be compromised?
Is there a similar guide for PEM-based certificates, please?
Yes the simple example is to copy to all you will also see a note that says
If you want to use hostname verification, set the verification mode to full. You should generate a different certificate for each host that matches the DNS or IP address. See the xpack.security.transport.ssl.verification_mode parameter in TLS settings.
But if you want you can just generate for each anyways.
If you look at the actual utility here:
You can use an instances file and define / create them all at once time
And there is a
--pem flag as well to get
You basically just need to use the
--pem parameter, this will create
I made a short tutorial on how to manually configure security on a cluster a couple of time ago, maybe this help.
Elasticsearch doesn't support revocation lists, so if you have a compromised node then you will need to re-key the whole cluster, even if you had separate certificates per node.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.