Is this the recommended security practice - to share one cert/key between multiple nodes? Surely each node should have its own certificates issued so that they can be revoked individually should a node be compromised?
Is there a similar guide for PEM-based certificates, please?
Yes the simple example is to copy to all you will also see a note that says
If you want to use hostname verification, set the verification mode to full. You should generate a different certificate for each host that matches the DNS or IP address. See the xpack.security.transport.ssl.verification_mode parameter in TLS settings.
But if you want you can just generate for each anyways.
Elasticsearch doesn't support revocation lists, so if you have a compromised node then you will need to re-key the whole cluster, even if you had separate certificates per node.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.