Generating a CSR and Using an External Certificate with Elasticsearch

This guide is aimed at beginners and provides a step-by-step walkthrough for connecting Elasticsearch to external certificates issued by a Certificate Authority (CA). All instructions and steps are based on the official Elasticsearch documentation to ensure accuracy and compatibility.

Generate a CSR for Each Node

Step 1: Create a CSR Configuration File
For each node in your cluster, create a CSR configuration file. For example, for node-1:

instances:
  - name: "node-1"
    dns:
      - "node-1.yourdomain.com"
      - "localhost"
    ip:
      - "192.168.1.10"  # Replace with your node's IP address

Step 2: Generate the CSR
Use the elasticsearch-certutil tool to generate the CSR:

sudo /usr/local/elasticsearch/bin/elasticsearch-certutil csr --name node-1 --config csr_config_node-1.yml

Repeat these steps for each node in your cluster, creating a unique CSR configuration for each.

Signing the CSR with an External CA

Step 1: Submit the CSR for Signing
Send each generated CSR to your external CA for signing. The CA will provide:
  • A signed certificate for each node.
  • Intermediate certificates (if applicable).
  • The root CA certificate (ca.crt).
Step 2: Collect the Signed Certificates
Once the CA has signed your certificates, you will typically receive:
  • Node certificate: e.g., node-1.crt.
  • Intermediate certificates (if applicable).
  • Root CA certificate: e.g., ca.crt.

Import the Root CA Certificate into the Server’s Trust Store

To ensure that the server recognizes the external CA, you need to import the root CA certificate into the server’s trust store.
Step 1: Identify the Java KeyStore (JKS) Path
Elasticsearch typically uses the JKS format for its trust store. Locate the cacerts file in the Java installation directory. For example:

/usr/lib/jvm/java-<version>/lib/security/cacerts

Step 2: Import the Root CA Certificate
Use the keytool utility to import the root CA certificate into the trust store:

sudo keytool -import -trustcacerts -alias root-ca -file /path/to/ca.crt -keystore /usr/lib/jvm/java-<version>/lib/security/cacerts

You will be prompted to set or enter the trust store password. The default password for cacerts is usually changeit.
Step 3: Verify the Import
To confirm that the certificate was successfully imported, list the contents of the trust store:

sudo keytool -list -keystore /usr/lib/jvm/java-<version>/lib/security/cacerts

Look for the alias root-ca in the output.

Distribute the Certificates to Nodes

Step 1: Copy Certificates and Keys to Nodes
For each node, copy the signed certificate, private key, and root CA certificate to the appropriate directory:

scp node-1.crt node-1.key ca.crt user@<NODE_IP>:/usr/local/elasticsearch/config/

Step 2: Set Permissions
Set the correct ownership and permissions for the certificate and key files:

sudo chown elasticsearch:elasticsearch /usr/local/elasticsearch/config/node-1.crt /usr/local/elasticsearch/config/node-1.key /usr/local/elasticsearch/config/ca.crt
sudo chmod 600 /usr/local/elasticsearch/config/node-1.crt /usr/local/elasticsearch/config/node-1.key /usr/local/elasticsearch/config/ca.crt

Configure SSL/TLS in Elasticsearch

Edit the elasticsearch.yml file to configure SSL/TLS for transport and HTTP communications. Example configuration for node-1:
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.certificate: /usr/local/elasticsearch/config/node-1.crt
xpack.security.transport.ssl.certificate_authorities: ["/usr/local/elasticsearch/config/ca.crt"]
xpack.security.transport.ssl.key: /usr/local/elasticsearch/config/node-1.key

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.certificate: /usr/local/elasticsearch/config/node-1.crt
xpack.security.http.ssl.certificate_authorities: ["/usr/local/elasticsearch/config/ca.crt"]
xpack.security.http.ssl.key: /usr/local/elasticsearch/config/node-1.key

Restart Elasticsearch

After updating the configuration, restart Elasticsearch to apply the changes:

sudo systemctl restart elasticsearch

Additional Notes

  1. Trust Store Security:
    • Ensure the trust store (cacerts) is securely stored and accessible only to authorized users.
  2. Cluster Communication:
    • All nodes must trust the same root CA for secure communication within the cluster.
  3. Testing:
    • Test SSL/TLS connectivity using tools like curl or openssl.

The post Generating a CSR and Using an External Certificate with Elasticsearch appeared first on SOC Prime.