usually to secure an elasticsearch cluster (especially communication in between nodes or between nodes or a cluster and kibana or anything else through https) and if all nodes and kibana are in the same infrastructure we use the certutil in elasticsearch to create a CA that will issue certificates (for example elastic-stack-ca.p12) and generates certificates signed by that CA whether it is for internal communication (for example elastic-certificates.p12) or ssl for each node like http.p12 or ssl for kibana like kibana-server.crt and its key kibana-server.key or for communication between kibana and the cluster’s nodes like elasticsearch-ca.pem
and if the infrastructure have a central CA i can sign my certificates with it to secure http for nodes and kibana… (but not for the intercommunication between nodes in the cluster cz For the transport layer, it’s recommended to use a separate, dedicated CA instead of an existing, possibly shared CA so that node membership is tightly controlled. that’s why we Use the elasticsearch-certutil tool to generate a CA for our cluster.)
my question now is :
if my nodes are in the cloud in different places and i have a kibana instance connected to the cluster that regroups all nodes how can i secure communication between nodes in the cluster is it by using elastic-certificates.p12? and between that cluster's nodes and kibana? and how about using let's encrypt SSL certificates ?
please guide me to the best security practices