elasticsearchelasticsearch-x-pack

Where does elasticsearch certificates located


I want to implement xpack security. The below code that I put in elasticsearch.yml. But I get an error that certificate does not exist. I have checked all directories in node, there is no elastic-certificates.p12. How can i solve this ? And how can i implement this ?

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.license.self_generated.type: basic

Thanks for answering


Solution

  • Above configurations are fine, what you need to do is generate node certificates in order to encrypt the elasticsearch internode communication(TLS - Transport Layer Security). The reason is, by default elasticsearch transfer data in text format(even passwords) which is a poor security practice. Therefore, inter-node communication should be encrypted before enabling Xpack security. This can be achieved by using elasticsearch certutil package. Follow the below steps(not suitable for production only for testing purposes).

    1. Go to elasticsearch 'bin' directory in your terminal.
    2. Execute command ./elasticsearch-certutil ca This will generate a certificate authority in your elasticsearch main directory. When you are asked to enter a filename for your CA, hit "enter" then it'll take the default filename 'elastic-stack-ca.p12'. Then after it'll ask for a password for the CA(Certificate Authority), then again hit "enter".
    3. Now we need to generate a TLS certificate for your elasticsearch instance using above generated CA file. For that, execute ./elasticsearch-certutil cert --ca elastic-stack-ca.p12. when executing this command first, it'll ask for the password of your CA file, then hit 'enter' then after it'll ask for TLS certificate name then again hit 'enter' then it'll take the TLS certificate name as 'elastic-certificates.p12' which is the default name finally it'll ask for a password for the TLS certificate, then again hit 'enter'. Now you will be able see a two new files in your elasticsearch main directory.
    4. Copy the elastic-certificates.p12 file into elasticsearch 'config' directory. If you have multiple elasticsearch nodes copy the same file into each node's 'config' directory.
    5. Now start the elasticsearch instance/s

    Please note that above configuration steps are not suitable for production, only for testing... :)