How to create and configure an SSL certificate in Elasticsearch hosted on Windows?
Issue description:
How to create and configure an SSL certificate in Elasticsearch hosted on Windows?
Resolution:
Creating a Self-Signed SSL Certificate for Elasticsearch.
- As a prerequisite, create an
instance.ymlfile by creating a new text file and copying the content below.
instances:
- name: "node1"
ip:
- "10.0.0.1"
- name: "node2"
ip:
- "10.0.0.2"
- name: "node3"
ip:
- "10.0.0.3"
If using DNS instead of an IP address, configure the DNS entry like this: dns: - node1.example.com.
Place the instance.yml file in the home folder of Elasticsearch.
- Generate a certificate using
elasticsearch-certutil.
Navigate to {installation folder}\elasticsearch-8.6.1\bin and run the command below:
.\elasticsearch-certutil cert --in instance.yml --out node1.zip --pem --self-signed
The above command will create a zip file containing cert.crt and cert.key files in the Elasticsearch home or root directory.
- Extract the files to
{installation folder}\elasticsearch-8.6.1\config\certs.
- "Configure
cert.crtandcert.keyin theelasticsearch.ymlfile."
- Configure the settings below:
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: certs/ca.key
xpack.security.http.ssl.certificate: certs/ca.crt
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: certs/murali-vm01.key
xpack.security.transport.ssl.certificate: certs/murali-vm01.cr
xpack.security.transport.ssl.verification_mode: certificate
- Restart
Elasticsearch.batorElasticsearch.service.
- After configuring the above settings, try browsing the Elasticsearch URL using HTTPS instead of HTTP:
https://{elasticurl}:9200.
- Perform the same action for all nodes.