Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: b9707c29a1
Branches Tags
elasticsearch
/
docs
/
reference
/
security
/
securing-communications
/
node-certificates.asciidoc

node-certificates.asciidoc 4.4 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596 
  1. [[node-certificates]]
    2. 

  2. ==== Generating Node Certificates
    3. 

  3. 

  4. TLS requires X.509 certificates to perform encryption and authentication of the
    5. 

  5. application that is being communicated with. In order for the communication
    6. 

  6. between nodes to be truly secure, the certificates must be validated. The
    7. 

  7. recommended approach for validating certificate authenticity in an {es} cluster
    8. 

  8. is to trust the certificate authority (CA) that signed the certificate. By doing
    9. 

  9. this, as nodes are added to your cluster they just need to use a certificate
    10. 

  10. signed by the same CA and the node is automatically allowed to join the cluster.
    11. 

  11. Additionally, it is recommended that the certificates contain subject alternative
    12. 

  12. names (SAN) that correspond to the node's IP address and DNS name so that
    13. 

  13. hostname verification can be performed.
    14. 

  14. 

  15. In order to simplify the process of generating certificates for the Elastic
    16. 

  16. Stack, a command line tool, {ref}/certutil.html[`elasticsearch-certutil`] has been
    17. 

  17. included with {xpack}. This tool takes care of generating a CA and signing
    18. 

  18. certificates with the CA. `elasticsearch-certutil` can be used interactively or
    19. 

  19. in a silent mode through the use of an input file. The `elasticsearch-certutil`
    20. 

  20. tool also supports generation of certificate signing requests (CSR), so that a
    21. 

  21. commercial- or organization-specific CA can be used to sign the certificates.
    22. 

  22. For example:
    23. 

  23. 

  24. . Optional: Create a certificate authority for your {es} cluster.
    25. 

  25. +
    26. 

  26. --
    27. 

  27. For example, use the `elasticsearch-certutil ca` command:
    28. 

  28. 

  29. [source,shell]
    30. 

  30. ----------------------------------------------------------
    31. 

  31. bin/elasticsearch-certutil ca
    32. 

  32. ----------------------------------------------------------
    33. 

  33. 

  34. You can configure the cluster to trust all nodes that have a certificate that
    35. 

  35. has been signed by this CA.
    36. 

  36. 

  37. The command outputs a single file, with a default name of `elastic-stack-ca.p12`.
    38. 

  38. This file is a PKCS#12 keystore that contains the public certificate for your CA
    39. 

  39. and the private key that is used to sign the certificates for each node.
    40. 

  40. 

  41. The `elasticsearch-certutil` command also prompts you for a password to protect
    42. 

  42. the file and key. If you plan to add more nodes to your cluster in the future,
    43. 

  43. retain a copy of the file and remember its password.
    44. 

  44. --
    45. 

  45. 

  46. . Generate a certificate and private key for for each node in your cluster.
    47. 

  47. +
    48. 

  48. --
    49. 

  49. For example, use the `elasticsearch-certutil cert` command:
    50. 

  50. 

  51. [source,shell]
    52. 

  52. ----------------------------------------------------------
    53. 

  53. bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
    54. 

  54. ----------------------------------------------------------
    55. 

  55. The output is a single PKCS#12 keystore that includes the node certificate, node
    56. 

  56. key, and CA certificate.
    57. 

  57. 

  58. You are also prompted for a password. You can enter a password for your
    59. 

  59. certificate and key, or you can leave the password blank by pressing Enter.
    60. 

  60. 

  61. By default `elasticsearch-certutil` generates certificates that have no hostname
    62. 

  62. information in them (that is, they do not have any Subject Alternative Name
    63. 

  63. fields). This means that you can use the certificate for every node in your
    64. 

  64. cluster, but you must turn off hostname verification as shown in the
    65. 

  65. configuration below.
    66. 

  66. 

  67. If you want to use hostname verification within your cluster, run the
    68. 

  68. `elasticsearch-certutil cert` command once for each of your nodes and provide
    69. 

  69. the `--name`, `--dns` and `--ip` options.
    70. 

  70. 

  71. NOTE: You should secure the output files, since they contain the private keys
    72. 

  72. for your instance.
    73. 

  73. 

  74. Alternatively, if you want to use a commercial or organization-specific CA,
    75. 

  75. you can use the `elasticsearch-certutil csr` command to generate certificate
    76. 

  76. signing requests (CSR) for the nodes in your cluster. For more information, see
    77. 

  77. <<certutil>>.
    78. 

  78. --
    79. 

  79. 

  80. . Copy the node certificate to the appropriate locations.
    81. 

  81. +
    82. 

  82. --
    83. 

  83. Copy the applicable `.p12` file into a directory within the {es} configuration
    84. 

  84. directory on each node. For example, `/home/es/config/certs`. There is no need
    85. 

  85. to copy the CA file to this directory.
    86. 

  86. 

  87. For each additional Elastic product that you want to configure, copy the
    88. 

  88. certificates to the relevant configuration directory. 
    89. 

  89. --
    90. 

  90. 

  91. NOTE: If you choose not to use `elasticsearch-certutil`, the certificates that
    92. 

  92. you obtain must allow for both `clientAuth` and `serverAuth` if the extended key
    93. 

  93. usage extension is present. The certificates need to be in PEM or PKCS#12
    94. 

  94. format. Although not required, it is highly recommended that the certificate
    95. 

  95. contain the DNS names and/or IP addresses of the node so that hostname
    96. 

  96. verification can be used.
    97.