Elasticsearch | updating certificates

New CA stuff:

elasticsearch-certutil ca --pem --days 3650
test -d ca && rm -rf ca
unzip /usr/share/elasticsearch/elastic-stack-ca.zip -d ./
rm -f /usr/share/elasticsearch/elastic-stack-ca.zip

Import ca.crt into truststore:

keytool -importcert -trustcacerts -noprompt -keystore elastic-stack-ca.p12 -alias elastic-ca -file ca/ca.crt -validity 3650
keytool -keystore elastic-stack-ca.p12 -list

New Transport certs:

elasticsearch-certutil cert --ca-cert ./ca/ca.crt --ca-key ./ca/ca.key --days 3650

elasticsearch-keystore add 
xpack.security.transport.ssl.keystore.secure_password
elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

New http cert:

elasticsearch-certutil http
test -d http && rm -rf http
unzip /usr/share/elasticsearch/elasticsearch-ssl-http.zip -d ./http/
rm -f /usr/share/elasticsearch/elasticsearch-ssl-http.zip

elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password

Tune elasticsearch.yml:

xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.truststore.path: certs/elastic-stack-ca.p12
xpack.security.transport.ssl.truststore.type: PKCS12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/http.p12


CSR? NO

CA? YES

ONE CERT PER NODE? YES

NODE NAME? CHECK elasticsearch.yml FOR node.name

REPEAT FOR EACH NODE

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.