I have a elasticsearch instance running and I need to enable ssl in it . I created a csr file and gave it to the Certificate Authority for certificates. I received back 3 files - .cer, .p7b and .pem . How to use them in the elasticsearch.yml file .
I'm definitely not an expert on that field as I'm using cloud.elastic.co where everything is set up out of the box for me.
But may be you should read Set up basic security for the Elastic Stack plus secured HTTPS traffic | Elasticsearch Guide [8.14] | Elastic
It describes the usage of crt
and p12
files. So you might need to convert your pem
file to p12
. And I think there are some guides on internet to do that. I found this example, which I hope is accurate:
openssl pkcs12 -export -out certificate.p12 -inkey privatekey.pem -in certificate.pem
openssl pkcs7 -print_certs -in old.p7b -out new.crt
I hope this helps.
File extensions for crypto files can be quite inconsistent.
- Your
.cer
file is probably a PEM formatted certificate, but it might be a raw DER or BER file. - Your
.p7b
is almost certainly a PKCS#7 DER certificate - Your
pem
file is going to be a PEM formatted file, but I can't tell if it's a key or a certificate. Probably a certificate (because there's no reason for your CA to give you a key).
To further complicate things, some of those files might contain your certificate, some might contain the CA's certificate(s) and some might contain a chain of your certificate + the CA's signing certificate. It's impossible to tell from the file extension.
If you can provide some more info then we can probably work out which files you need.
See the questions below:
I need to enable ssl in it
Q1. Do you know what you mean by "enable SSL"?
The link @dadoonet provided talks about configuring SSL for the Rest Layer (HTTPS) but Elasticsearch also has its own internal protocol ("transport") for communication between nodes, and that can (should) be configure with SSL as well (if you have multiple nodes).
We strongly recommend that you use your own cluster-specific CA for inter-
node (transport) SSL and only use your company CA for HTTPS.
I will assume that you're trying to configure HTTPS here, but if you have multiple nodes and aren't using transport SSL then you probably need to configure that too.
Q2. How did you create the CSR file?
Did you use elasticsearch-certutil
, or another tool?
Either way that tool will have generated a private key file. It might be in a PKCS#12 keystore (.p12
or .pfx
) or it might be in a PEM formatted file (.key
or .pem
), or possibly another format.
You will need that key, and you will probably need it in PEM format.
I suspect the PEM file is what you want, but you'll need to look inside it and see what it is.
If should be a plain text file, and the first line should look something like this:
-----BEGIN SOME SORT OF FILE-----
Q3. What does that first line say?
If it's the file we want, it will say -----BEGIN CERTIFICATE-----
, if it says something else, then we may need to do some extra work.
Q4. How many BEGIN ...
lines does it have?
If this is just a single certificate, then it will look like this:
-----BEGIN CERTIFICATE-----
MIIEkDCC ....
.... lots more lines of random characters
-----END CERTIFICATE-----
But if it contains a chain, then it will have more than 1 certificate block in it, and it will look like this:
-----BEGIN CERTIFICATE-----
MIIEkDCC ....
.... lots more lines of random characters
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFhzC ...
... more lines ...
-----END CERTIFICATE-----
And it may contain more than 2 certificates.
Look at the file and count how many times the -----BEGIN CERTIFICATE-----
is in there.
Q5. Is this your certificate, or the CA's certificate(s)?
Assuming you have a copy of openssl
available, run
openssl x509 -in the-file.pem -noout -subject
That will print out the "subject" of the certificate - that is, who it is for.
You'll get output that's something like this:
subject=DC=net, DC=example, CN=something
You'll need to work out whether that's you, or the CA.
If it's you, then it should match what you asked for in the CSR.
If it's the CA, then it will probably say something like "Issuing Certificate" or "Signing CA" or something that makes it clear that it belongs to the CA.
Hopefully it's you.