This post is older than a year. Consider some information might not be accurate anymore.
Used: elasticsearch v6.0.0 elasticsearch v6.2.2
Since Version 6 X-Pack Security for Elasticsearch requires Node to Node encryption to secure the Elasticsearch cluster. The main reason is, that no unknown node can join the cluster and gets data by shard allocation. Since V6, V6.1 and V6.2 the tool certgen
became deprecated and was replaced by certutil
. My use case scenario: Created certificates with certgen
for my cluster and needed to generate a new certificate for a new data node.
Baseline
I have in total three clusters. yosemite
is my monitoring cluster.
tan@omega:/opt/elasticsearch-6.0.0> ls -l *.yml
-rw-r--r-- 1 elastic elastic 1152 Dec 1 12:41 prod-instances.yml
-rw-r--r-- 1 elastic elastic 604 Dec 1 12:54 test-instances.yml
-rw-r--r-- 1 elastic elastic 399 Nov 29 13:49 yosemite-instances.yml
The YAML definition is just an input for the certificate generation.
tan@omega:/opt/elasticsearch-6.0.0> cat yosemite-instances.yml
instances:
- name: "Taft Point"
ip: "10.22.62.137"
dns:
- "taft-point"
- "taft-point.cinhtau.net"
- name: "Setinal Rock"
ip: "10.22.63.221"
dns:
- "sentinal-rock"
- "sentinal-rock.cinhtau.net"
- name: "El Capitan"
ip: "10.123.19.11"
dns:
- "el-capitan"
- "el-capitan.cinhtau.net"
certutil
certutil
basic help.
tan@omega:/opt/elasticsearch-6.2.2> bin/x-pack/certutil --help
Simplifies certificate creation for use with the Elastic Stack
Commands
--------
csr - generate certificate signing requests
cert - generate X.509 certificates and keys
ca - generate a new local certificate authority
Non-option arguments:
command
Option Description
------ -----------
-h, --help show help
-s, --silent show minimal output
-v, --verbose show verbose output
For generating a certificate:
tan@omega:/opt/elasticsearch-6.2.2> bin/x-pack/certutil cert --help
generate X.509 certificates and keys
Option Description
------ -----------
-E <KeyValuePair> Configure a setting
--ca path to an existing ca key pair (in PKCS#12 format)
--ca-cert path to an existing ca certificate
--ca-dn distinguished name to use for the generated ca. defaults
to CN=Elastic Certificate Tool Autogenerated CA
--ca-key path to an existing ca private key
--ca-pass password for an existing ca private key or the generated
ca private key
--days <Integer> number of days that the generated certificates are valid
--dns comma separated DNS names
-h, --help show help
--in file containing details of the instances in yaml format
--ip comma separated IP addresses
--keep-ca-key retain the CA private key for future use
--keysize <Integer> size in bits of RSA keys
--multiple generate files for multiple instances
--name name of the generated certificate
--out path to the output file that should be produced
--pass password for generated private keys
--pem output certificates and keys in PEM format instead of
PKCS#12
-s, --silent show minimal output
-v, --verbose show verbose output
To generate a new certificate, I assemble this command:
bin/x-pack/certutil cert \
--ca-cert /tmp/ca.crt --ca-key /tmp/ca.key \
--name "machine-learning-master" \
--ip "10.22.61.131" \
--dns "ml-master,ml-master.cinhtau.net" \
--pem -v
Some notes:
-
ca.crt
andca.key
are the preexisting root certificate authority - instead of the
p12
format use previouspem
file output