This guide is aimed at beginners and provides a step-by-step walkthrough for connecting Elasticsearch to external certificates issued by a Certificate Authority (CA). All instructions and steps are based on the official Elasticsearch documentation to ensure accuracy and compatibility.
Generate a CSR for Each Node
Step 1: Create a CSR Configuration File
For each node in your cluster, create a CSR configuration file. For example, for node-1
:
instances:
- name: "node-1"
dns:
- "node-1.yourdomain.com"
- "localhost"
ip:
- "192.168.1.10" # Replace with your node's IP address
Step 2: Generate the CSR
Use the elasticsearch-certutil
tool to generate the CSR:
sudo /usr/local/elasticsearch/bin/elasticsearch-certutil csr --name node-1 --config csr_config_node-1.yml
Repeat these steps for each node in your cluster, creating a unique CSR configuration for each.
Signing the CSR with an External CA
Send each generated CSR to your external CA for signing. The CA will provide:
- A signed certificate for each node.
- Intermediate certificates (if applicable).
- The root CA certificate (
ca.crt
).
Once the CA has signed your certificates, you will typically receive:
- Node certificate: e.g.,
node-1.crt
. - Intermediate certificates (if applicable).
- Root CA certificate: e.g.,
ca.crt
.
Import the Root CA Certificate into the Server’s Trust Store
To ensure that the server recognizes the external CA, you need to import the root CA certificate into the server’s trust store.
Step 1: Identify the Java KeyStore (JKS) Path
Elasticsearch typically uses the JKS format for its trust store. Locate the cacerts
file in the Java installation directory. For example:
/usr/lib/jvm/java-<version>/lib/security/cacerts
Step 2: Import the Root CA Certificate
Use the keytool
utility to import the root CA certificate into the trust store:
sudo keytool -import -trustcacerts -alias root-ca -file /path/to/ca.crt -keystore /usr/lib/jvm/java-<version>/lib/security/cacerts
You will be prompted to set or enter the trust store password. The default password for cacerts
is usually changeit
.
Step 3: Verify the Import
To confirm that the certificate was successfully imported, list the contents of the trust store:
sudo keytool -list -keystore /usr/lib/jvm/java-<version>/lib/security/cacerts
Look for the alias root-ca
in the output.
Distribute the Certificates to Nodes
Step 1: Copy Certificates and Keys to Nodes
For each node, copy the signed certificate, private key, and root CA certificate to the appropriate directory:
scp node-1.crt node-1.key ca.crt user@<NODE_IP>:/usr/local/elasticsearch/config/
Step 2: Set Permissions
Set the correct ownership and permissions for the certificate and key files:
sudo chown elasticsearch:elasticsearch /usr/local/elasticsearch/config/node-1.crt /usr/local/elasticsearch/config/node-1.key /usr/local/elasticsearch/config/ca.crt
sudo chmod 600 /usr/local/elasticsearch/config/node-1.crt /usr/local/elasticsearch/config/node-1.key /usr/local/elasticsearch/config/ca.crt
Configure SSL/TLS in Elasticsearch
elasticsearch.yml
file to configure SSL/TLS for transport and HTTP communications. Example configuration for node-1
:xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.certificate: /usr/local/elasticsearch/config/node-1.crt
xpack.security.transport.ssl.certificate_authorities: ["/usr/local/elasticsearch/config/ca.crt"]
xpack.security.transport.ssl.key: /usr/local/elasticsearch/config/node-1.key
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.certificate: /usr/local/elasticsearch/config/node-1.crt
xpack.security.http.ssl.certificate_authorities: ["/usr/local/elasticsearch/config/ca.crt"]
xpack.security.http.ssl.key: /usr/local/elasticsearch/config/node-1.key
Restart Elasticsearch
After updating the configuration, restart Elasticsearch to apply the changes:
sudo systemctl restart elasticsearch
Additional Notes
- Trust Store Security:
- Ensure the trust store (
cacerts
) is securely stored and accessible only to authorized users.
- Ensure the trust store (
- Cluster Communication:
- All nodes must trust the same root CA for secure communication within the cluster.
- Testing:
- Test SSL/TLS connectivity using tools like
curl
oropenssl
.
- Test SSL/TLS connectivity using tools like
The post Generating a CSR and Using an External Certificate with Elasticsearch appeared first on SOC Prime.