Setting up security certificates
All of the Elasticsearch nodes in a cluster that is secured by Search Guard are required to use TLS encryption. TLS encrypts all network traffic and validates the identity of other nodes.
In addition, changing the Search Guard configuration requires the use of a client TLS certificate to perform administrative actions.
This section describes the security certificates and related files that must be prepared before installing Search Guard on the nodes.
For each node in the cluster, you will need to issue a server certificate that has the following attributes:
a Subject Alternative Name entry for each IP address or hostname that the node will be reachable at; this step can be omitted if you do not need to enable hostname verification.
a Subject Alternative Name entry set to
oid:220.127.116.11.5.5; the presence of this entry is needed by Search Guard to distinguish node certificates from client certificates. If the entry cannot be set by your CA, you will need to list the CNs of node certificates in the Elasticsearch configuration.
Certificates are expected to be PEM encoded X.509 files, while the private keys
must be PEM encoded PKCS8 files (
For POCs and clusters on private networks it is also possible to share the same certificate across multiple nodes, although this kind of configuration will require disabling any form of hostname verification.
Once the node certificates have been prepared, you will need to issue a client certificate that will be used to perform administrative actions on the Search Guard configuration.
The client certificate must contain a unique Distinguished Name to identify the
user, for example
Finally, you must prepare a file that contains the certificate of the CA that issued the certificates. If the certificates were issued by an intermediate CA, the file must bundle the full certificate chain.
The CA bundle file is used at runtime to validate both the node and client certificates on incoming connections. The same bundle is also used by Siren Investigate to encrypt and validate connections to the Elasticsearch cluster.
Floragunn provides a TLS certificate generation service, which can be used to create certificates for evaluation purposes.
To try the certificates in a single node setup, it is possible to specify localhost as the first hostname and submit the form.
The bundle that is generated by this service contains the following resources:
README.txt: an overview of the bundle and the passwords for all the certificates;
chain-ca.pem: the CA chain bundle in PEM format;
node-certificates: a directory containing certificate and private keys for each hostname specified in the form;
client-certificates: a directory containing sample client certificates and private keys, including the administrative certificate (
In addition to the online generator, Floragunn provides a TLS tool which can be used to generate these certificates without an Internet connection.