Siren Platform User Guide

SSL certificates

All the Elasticsearch nodes in a cluster secured by Search Guard are required to use SSL to encrypt all network traffic.

In addition, changing the Search Guard configuration requires the use of a client SSL certificate to perform administrative actions.

To set up a Search Guard cluster, you must generate the following files:

  • truststore: Common to all nodes, containing the CA certificate chain.
  • keystore: For each node, containing the certificate for the node.
  • keystore: For each administrative user, containing a certificate bundle that identifies the user.
  • keystore: Containing an SSL certificate for the Elasticsearch HTTP server.

These files can be either Java KeyStore files or PKCS12 bundles.

Issuing certificates in an existing PKI infrastructure

If your organization has a PKI infrastructure in place, you can generate Java KeyStore files from a PEM bundle by using the keytool command, for example:

$ keytool  \
  -importcert \
  -file ca.pem  \
  -keystore truststore.jks

The command will store the contents of ca.pem into a file named truststore.jks in the current folder.

The same command can be used to convert certificates signed by your CA for nodes, administrative users and the REST API.

Node certificates must include oid: as a Subject Alternative Name entry to work correctly with Search Guard; for details on how to customize the OID, consult the Search Guard documentation.

If you want to enable hostname verification, ensure that at least one Subject Alternative Name is equal to the DNS name of the node.

Client certificates for administrative users must contain a unique Distinguished Name to identify the user, for example:


Certificates for the Elasticsearch HTTP server can be used across multiple nodes by setting multiple hostnames in the Subject Alternative Name attribute or by using a wildcard certificate.

Issuing certificates using the TLS certificate generator

Floragunn GmbH provides a TLS certificate generation service which can be used to create a bundle of certificates for evaluation purposes.

To try the certificates in a single node setup, it is possible to specify localhost as the first hostname and submit the form.

The bundle contains:

  • README.txt: Provides an overview of the bundle and the passwords for all the keystores.
  • truststore.jks: the CA certificate chain in KeyStore format.
  • node-certificates: the transport certificates for the nodes in several formats; these certificates can also be used for the Elasticsearch HTTP server.
  • client-certificates: client certificates and private keys.
  • root-ca: the root CA bundle in PEM format.
  • signing-ca: the signing CA bundle in PEM format.

In addition to the online generator, Floragunn provides a TLS tool which can be used to manage a private certification authority.

Search results

    No results found