Hi All,
We have our OWN CA certificates namely:
ABC-Issuing-CA.crt
ABC-Root-CA.crt
With this we would like to create new Elasticsearch node certificates where we could not find any resource online for it.
I am new to security so let us know on how we could proceed further on this.
Elasticsearch version: 6.3.0
Thanks in advance!
The doc page has a reference for all of the parameters.
elasticsearch-certutil | Elasticsearch Guide [8.4] | Elastic.
For an example, I used the doc to create certs for a root CA and two nodes. If you already have a root CA and issuing CA, jump to the nodes part and use your issuing CA cert and private key.
Create self-signed root CA cert
echo "cluster1-ca.zip" | bin/elasticsearch-certutil ca --pem --days 7320 --keysize 3072 --ca-dn CN=cluster1-ca --pass cluster1-ca
unzip cluster1-ca.zip
mv ca cluster1-ca
Create end entity certs for Transport protocol, signed by the above CA
echo "cluster1-elasticsearch1.zip" | bin/elasticsearch-certutil cert --pem --days 398 --keysize 2048 --ca-cert cluster1-ca/ca.crt --ca-pass cluster1-ca --ca-key cluster1-ca/ca.key --pass cluster1-elasticsearch1 --name cluster1-elasticsearch1 --dns cluster1-elasticsearch1 --dns `hostname` --dns localhost --dns localhost.localdomain --ip 127.0.0.1 --ip ::1
echo "cluster1-elasticsearch2.zip" | bin/elasticsearch-certutil cert --pem --days 398 --keysize 2048 --ca-cert cluster1-ca/ca.crt --ca-pass cluster1-ca --ca-key cluster1-ca/ca.key --pass cluster1-elasticsearch2 --name cluster1-elasticsearch2 --dns cluster1-elasticsearch2 --dns `hostname` --dns localhost --dns localhost.localdomain --ip 127.0.0.1 --ip ::1
unzip cluster1-elasticsearch1.zip
unzip cluster1-elasticsearch2.zip
echo " "; openssl x509 -inform pem -in cluster1-ca/ca.crt -noout -subject -issuer -dates -serial
echo " "; openssl x509 -inform pem -in cluster1-elasticsearch1/cluster1-elasticsearch1.crt -noout -subject -issuer -dates -serial
echo " "; openssl x509 -inform pem -in cluster1-elasticsearch2/cluster1-elasticsearch2.crt -noout -subject -issuer -dates -serial
echo " "; openssl rsa -inform pem -in cluster1-ca/ca.key --passin pass:cluster1-ca
echo " "; openssl rsa -inform pem -in cluster1-elasticsearch1/cluster1-elasticsearch1.key --passin pass:cluster1-elasticsearch1
echo " "; openssl rsa -inform pem -in cluster1-elasticsearch2/cluster1-elasticsearch2.key --passin pass:cluster1-elasticsearch2
Notes:
Hello Justin,
Do you have any idea of how this can be done in a windows environment?
The elasticsearch-certutil and openssl commands can be run in Windows. The only differences I can think of are Windows specific file paths, and a slightly different way to echo a password as input into elasticsearch-certutil.
For example:
Linux
echo "cluster1-elasticsearch1.zip" | bin/elasticsearch-certutil cert --pem --days 398 --keysize 2048 --ca-cert cluster1-ca/ca.crt --ca-pass cluster1-ca --ca-key cluster1-ca/ca.key --pass cluster1-elasticsearch1 --name cluster1-elasticsearch1 --dns cluster1-elasticsearch1 --dns `hostname` --dns localhost --dns localhost.localdomain --ip 127.0.0.1 --ip ::1
Windows Command Prompt
echo|set /p="cluster1-elasticsearch1.zip" | bin/elasticsearch-certutil cert --pem --days 398 --keysize 2048 --ca-cert cluster1-ca/ca.crt --ca-pass cluster1-ca --ca-key cluster1-ca/ca.key --pass cluster1-elasticsearch1 --name cluster1-elasticsearch1 --dns cluster1-elasticsearch1 --dns `hostname` --dns localhost --dns localhost.localdomain --ip 127.0.0.1 --ip ::1
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.