|  | @@ -1,47 +1,63 @@
 | 
	
		
			
				|  |  |  [role="xpack"]
 | 
	
		
			
				|  |  |  [[tls-http]]
 | 
	
		
			
				|  |  | -==== Encrypting HTTP Client communications
 | 
	
		
			
				|  |  | +==== Encrypting HTTP client communications
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |  When {security-features} are enabled, you can optionally use TLS to ensure that
 | 
	
		
			
				|  |  |  communication between HTTP clients and the cluster is encrypted.
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |  NOTE: Enabling TLS on the HTTP layer is strongly recommended but is not required.
 | 
	
		
			
				|  |  |  If you enable TLS on the HTTP layer in {es}, then you might need to make
 | 
	
		
			
				|  |  | -configuration changes in other parts of the Elastic Stack and in any {es}
 | 
	
		
			
				|  |  | -clients that you use.
 | 
	
		
			
				|  |  | +configuration changes in other parts of the {stack} and in any {es} clients that
 | 
	
		
			
				|  |  | +you use.
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |  . If you have not done so already, <<node-certificates,generate node certificates>>.
 | 
	
		
			
				|  |  | ++
 | 
	
		
			
				|  |  | +--
 | 
	
		
			
				|  |  | +In particular, you need the files that are generated by the following command:
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +[source,shell]
 | 
	
		
			
				|  |  | +----------------------------------------------------------
 | 
	
		
			
				|  |  | +bin/elasticsearch-certutil http
 | 
	
		
			
				|  |  | +----------------------------------------------------------
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +This command generates a zip file that contains certificates and keys for use in
 | 
	
		
			
				|  |  | +{es} and {kib}. Each folder contains a readme that explains how to use the files.
 | 
	
		
			
				|  |  | +--
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  | +. Verify that you've copied the output files to the appropriate locations, as
 | 
	
		
			
				|  |  | +specified in the readme files. 
 | 
	
		
			
				|  |  | ++
 | 
	
		
			
				|  |  | +--
 | 
	
		
			
				|  |  | +For example, copy the `http.p12` file from the `elasticsearch` folder into a 
 | 
	
		
			
				|  |  | +directory within the {es} configuration directory on each node. If you chose to 
 | 
	
		
			
				|  |  | +generate one certificate per node, copy the appropriate `http.p12` file to each
 | 
	
		
			
				|  |  | +node. If you want to use {kib} to access this cluster, copy the
 | 
	
		
			
				|  |  | +`elasticsearch-ca.pem` file from the `kibana` folder into the {kib}
 | 
	
		
			
				|  |  | +configuration directory.
 | 
	
		
			
				|  |  | +--
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |  . Enable TLS and specify the information required to access the node’s
 | 
	
		
			
				|  |  | -certificate.
 | 
	
		
			
				|  |  | +certificate. For example:
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  | -** If the certificate is in PKCS#12 format, add the following information to the
 | 
	
		
			
				|  |  | -`elasticsearch.yml` file on each node:
 | 
	
		
			
				|  |  | +.. Update the `elasticsearch.yml` file on each node with the location of the
 | 
	
		
			
				|  |  | +certificates.
 | 
	
		
			
				|  |  |  +
 | 
	
		
			
				|  |  |  --
 | 
	
		
			
				|  |  | +If the certificates are in PKCS#12 format:
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  |  [source, yaml]
 | 
	
		
			
				|  |  |  --------------------------------------------------
 | 
	
		
			
				|  |  |  xpack.security.http.ssl.enabled: true
 | 
	
		
			
				|  |  | -xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12 <1>
 | 
	
		
			
				|  |  | -xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12 <2>
 | 
	
		
			
				|  |  | +xpack.security.http.ssl.keystore.path: "http.p12"
 | 
	
		
			
				|  |  |  --------------------------------------------------
 | 
	
		
			
				|  |  | -<1> If you created a separate certificate for each node, then you might need to
 | 
	
		
			
				|  |  | -customize this path on each node. If the filename matches the node name, you can
 | 
	
		
			
				|  |  | -use the `certs/${node.name}.p12` format, for example.
 | 
	
		
			
				|  |  | -<2> The `elasticsearch-certutil` output includes the CA certificate inside the
 | 
	
		
			
				|  |  | -PKCS#12 keystore, therefore the keystore can also be used as the truststore.
 | 
	
		
			
				|  |  | -This name should match the `keystore.path` value.
 | 
	
		
			
				|  |  | ---
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  | -** If the certificate is in PEM format, add the following information to the
 | 
	
		
			
				|  |  | -`elasticsearch.yml` file on each node:
 | 
	
		
			
				|  |  | -+
 | 
	
		
			
				|  |  | ---
 | 
	
		
			
				|  |  | +If you have certificates in PEM format:
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  |  [source, yaml]
 | 
	
		
			
				|  |  |  --------------------------------------------------
 | 
	
		
			
				|  |  |  xpack.security.http.ssl.enabled: true
 | 
	
		
			
				|  |  | -xpack.security.http.ssl.key:  /home/es/config/node01.key <1>
 | 
	
		
			
				|  |  | -xpack.security.http.ssl.certificate: /home/es/config/node01.crt <2>
 | 
	
		
			
				|  |  | +xpack.security.http.ssl.key:  /home/es/config/node1_http.key <1>
 | 
	
		
			
				|  |  | +xpack.security.http.ssl.certificate: /home/es/config/node1_http.crt <2>
 | 
	
		
			
				|  |  |  xpack.security.http.ssl.certificate_authorities: [ "/home/es/config/ca.crt" ] <3>
 | 
	
		
			
				|  |  |  --------------------------------------------------
 | 
	
		
			
				|  |  |  <1> The full path to the node key file. This must be a location within the
 | 
	
	
		
			
				|  | @@ -52,29 +68,29 @@ xpack.security.http.ssl.certificate_authorities: [ "/home/es/config/ca.crt" ] <3
 | 
	
		
			
				|  |  |      must be a location within the {es} configuration directory.
 | 
	
		
			
				|  |  |  --
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  | -. If you secured the node's certificate with a password, add the password to
 | 
	
		
			
				|  |  | -your {es} keystore:
 | 
	
		
			
				|  |  | -
 | 
	
		
			
				|  |  | -** If the signed certificate is in PKCS#12 format, use the following commands:
 | 
	
		
			
				|  |  | +.. If you secured the keystore or the private key with a password, add that password to a secure 
 | 
	
		
			
				|  |  | +setting in {es}.
 | 
	
		
			
				|  |  |  +
 | 
	
		
			
				|  |  |  --
 | 
	
		
			
				|  |  | +If the certificates are in PKCS#12 format:
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  |  [source,shell]
 | 
	
		
			
				|  |  |  -----------------------------------------------------------
 | 
	
		
			
				|  |  |  bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
 | 
	
		
			
				|  |  | -
 | 
	
		
			
				|  |  | -bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password
 | 
	
		
			
				|  |  |  -----------------------------------------------------------
 | 
	
		
			
				|  |  | ---
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  | -** If the certificate is in PEM format, use the following commands:
 | 
	
		
			
				|  |  | -+
 | 
	
		
			
				|  |  | ---
 | 
	
		
			
				|  |  | +If the certificates are in PEM format:
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  |  [source,shell]
 | 
	
		
			
				|  |  |  -----------------------------------------------------------
 | 
	
		
			
				|  |  |  bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase
 | 
	
		
			
				|  |  |  -----------------------------------------------------------
 | 
	
		
			
				|  |  |  --
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  | +. Optional: If you want to use {kib}, follow the instructions in the readme
 | 
	
		
			
				|  |  | +provided by the `elasticsearch-certutil http` command or see
 | 
	
		
			
				|  |  | +{kibana-ref}/configuring-tls.html[Encrypting communications in {kib}].
 | 
	
		
			
				|  |  | +
 | 
	
		
			
				|  |  |  . Restart {es}.
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |  [NOTE]
 |