The 'cert' mode generates X.509 certificate and private keys.
By default, this generates a single certificate and key for use
on a single instance.
Copy the elastic-certificates.p12 to the elasticsearch config folder. Modify the elasticsearch.yml as follows -
# configure https
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.type: PKCS12
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.keystore.password: javainuse
Open the command prompt as an admin. Go to the elasticsearch bin folder and type the following command
elasticsearch.bat
If we now go to https://localhost:9200 we can access elasticsearch cluster.
SSL Certificate setting
We may want to controls the server's behavior in regard to requesting a certificate
from client connections.
We may want to make it compulsory for the client to provide a certificate if it wants to access
the elasticsearch cluster. Without certificate the client will not be able to access the elasticsearch cluster.
In the current elasticsearch configuration we have not specified any client certificate requirement. So currently
client can access the elasticsearch without providing any certificate.
xpack.security.http.ssl.client_authentication
Valid values are required, optional, and none.
required forces a client to present a certificate, while optional requests a
client certificate but the client is not required to present one. Defaults to none.
Modify the elasticsearch.yml as follows -
# configure https
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.type: PKCS12
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.keystore.password: javainuse
xpack.security.http.ssl.client_authentication: required
If we now try to access https://localhost:9200 using the browser we cannot and get the error as follows
So the client will need to provide the certificate and only then it will be able to access the elasticsearch cluster. To do this
we make use of Postman as the client. We configure the certificate in the Postman settings.
If we now access elasticsearch - https://localhost:9200 using Postman we will be able to access it.
Configure TLS for Elasticsearch
The transport protocol is used for internal communications between Elasticsearch nodes.
We will be configuring TLS for elasticsearch
as follows -
# configure https
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.type: PKCS12
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.keystore.password: javainuse
xpack.security.http.ssl.client_authentication: required
# configure tls
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.keystore.password: javainuse
xpack.security.transport.ssl.client_authentication: required
So now any node that needs to join the elasticsearch cluster will need to be configured using the PKCS12 certificate i.e. elastic-certificates.p12.