SSL for Elastic Search

I have a elasticsearch instance running and I need to enable ssl in it . I created a csr file and gave it to the Certificate Authority for certificates. I received back 3 files - .cer, .p7b and .pem . How to use them in the elasticsearch.yml file .

I'm definitely not an expert on that field as I'm using cloud.elastic.co where everything is set up out of the box for me. :slight_smile:

But may be you should read Set up basic security for the Elastic Stack plus secured HTTPS traffic | Elasticsearch Guide [8.14] | Elastic

It describes the usage of crt and p12 files. So you might need to convert your pem file to p12. And I think there are some guides on internet to do that. I found this example, which I hope is accurate:

openssl pkcs12 -export -out certificate.p12 -inkey privatekey.pem -in certificate.pem
openssl pkcs7 -print_certs -in old.p7b -out new.crt

I hope this helps.

File extensions for crypto files can be quite inconsistent.

  • Your .cer file is probably a PEM formatted certificate, but it might be a raw DER or BER file.
  • Your .p7b is almost certainly a PKCS#7 DER certificate
  • Your pem file is going to be a PEM formatted file, but I can't tell if it's a key or a certificate. Probably a certificate (because there's no reason for your CA to give you a key).

To further complicate things, some of those files might contain your certificate, some might contain the CA's certificate(s) and some might contain a chain of your certificate + the CA's signing certificate. It's impossible to tell from the file extension.

If you can provide some more info then we can probably work out which files you need.
See the questions below:

I need to enable ssl in it

Q1. Do you know what you mean by "enable SSL"?

The link @dadoonet provided talks about configuring SSL for the Rest Layer (HTTPS) but Elasticsearch also has its own internal protocol ("transport") for communication between nodes, and that can (should) be configure with SSL as well (if you have multiple nodes).

We strongly recommend that you use your own cluster-specific CA for inter-
node (transport) SSL and only use your company CA for HTTPS.

I will assume that you're trying to configure HTTPS here, but if you have multiple nodes and aren't using transport SSL then you probably need to configure that too.

Q2. How did you create the CSR file?

Did you use elasticsearch-certutil, or another tool?

Either way that tool will have generated a private key file. It might be in a PKCS#12 keystore (.p12 or .pfx) or it might be in a PEM formatted file (.key or .pem), or possibly another format.
You will need that key, and you will probably need it in PEM format.

I suspect the PEM file is what you want, but you'll need to look inside it and see what it is.

If should be a plain text file, and the first line should look something like this:

-----BEGIN SOME SORT OF FILE-----

Q3. What does that first line say?
If it's the file we want, it will say -----BEGIN CERTIFICATE-----, if it says something else, then we may need to do some extra work.

Q4. How many BEGIN ... lines does it have?
If this is just a single certificate, then it will look like this:

-----BEGIN CERTIFICATE-----
MIIEkDCC ....
.... lots more lines of random characters
-----END CERTIFICATE-----

But if it contains a chain, then it will have more than 1 certificate block in it, and it will look like this:

-----BEGIN CERTIFICATE-----
MIIEkDCC ....
.... lots more lines of random characters
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFhzC ...
... more lines ...
-----END CERTIFICATE-----

And it may contain more than 2 certificates.
Look at the file and count how many times the -----BEGIN CERTIFICATE----- is in there.

Q5. Is this your certificate, or the CA's certificate(s)?

Assuming you have a copy of openssl available, run

openssl x509 -in the-file.pem -noout -subject

That will print out the "subject" of the certificate - that is, who it is for.
You'll get output that's something like this:

subject=DC=net, DC=example, CN=something

You'll need to work out whether that's you, or the CA.
If it's you, then it should match what you asked for in the CSR.
If it's the CA, then it will probably say something like "Issuing Certificate" or "Signing CA" or something that makes it clear that it belongs to the CA.

Hopefully it's you.

2 Likes