Elasticsearch Certificates

:heavy_exclamation_mark: This post is older than a year. Consider some information might not be accurate anymore. :heavy_exclamation_mark:

Used:   elasticsearch v6.0.0  elasticsearch v6.2.2 

Since Version 6 X-Pack Security for Elasticsearch requires Node to Node encryption to secure the Elasticsearch cluster. The main reason is, that no unknown node can join the cluster and gets data by shard allocation. Since V6, V6.1 and V6.2 the tool certgen became deprecated and was replaced by certutil. My use case scenario: Created certificates with certgen for my cluster and needed to generate a new certificate for a new data node.


I have in total three clusters. yosemite is my monitoring cluster.

tan@omega:/opt/elasticsearch-6.0.0> ls -l *.yml
-rw-r--r-- 1 elastic elastic  1152 Dec  1 12:41 prod-instances.yml
-rw-r--r-- 1 elastic elastic   604 Dec  1 12:54 test-instances.yml
-rw-r--r-- 1 elastic elastic   399 Nov 29 13:49 yosemite-instances.yml

The YAML definition is just an input for the certificate generation.

tan@omega:/opt/elasticsearch-6.0.0> cat yosemite-instances.yml
  - name: "Taft Point"
    ip: ""
      - "taft-point"
      - "taft-point.cinhtau.net"
  - name: "Setinal Rock"
    ip: ""
      - "sentinal-rock"
      - "sentinal-rock.cinhtau.net"
  - name: "El Capitan"
    ip: ""
      - "el-capitan"
      - "el-capitan.cinhtau.net"


certutil basic help.

tan@omega:/opt/elasticsearch-6.2.2> bin/x-pack/certutil --help
Simplifies certificate creation for use with the Elastic Stack

csr - generate certificate signing requests
cert - generate X.509 certificates and keys
ca - generate a new local certificate authority

Non-option arguments:

Option         Description
------         -----------
-h, --help     show help
-s, --silent   show minimal output
-v, --verbose  show verbose output

For generating a certificate:

tan@omega:/opt/elasticsearch-6.2.2> bin/x-pack/certutil cert --help
generate X.509 certificates and keys

Option               Description
------               -----------
-E <KeyValuePair>    Configure a setting
--ca                 path to an existing ca key pair (in PKCS#12 format)
--ca-cert            path to an existing ca certificate
--ca-dn              distinguished name to use for the generated ca. defaults
                       to CN=Elastic Certificate Tool Autogenerated CA
--ca-key             path to an existing ca private key
--ca-pass            password for an existing ca private key or the generated
                       ca private key
--days <Integer>     number of days that the generated certificates are valid
--dns                comma separated DNS names
-h, --help           show help
--in                 file containing details of the instances in yaml format
--ip                 comma separated IP addresses
--keep-ca-key        retain the CA private key for future use
--keysize <Integer>  size in bits of RSA keys
--multiple           generate files for multiple instances
--name               name of the generated certificate
--out                path to the output file that should be produced
--pass               password for generated private keys
--pem                output certificates and keys in PEM format instead of
-s, --silent         show minimal output
-v, --verbose        show verbose output

To generate a new certificate, I assemble this command:

bin/x-pack/certutil cert \
  --ca-cert /tmp/ca.crt --ca-key /tmp/ca.key \
  --name "machine-learning-master" \
  --ip "" \
  --dns "ml-master,ml-master.cinhtau.net" \
  --pem -v

Some notes:

  • ca.crt and ca.key are the preexisting root certificate authority
  • instead of the p12 format use previous pem file output
Please remember the terms for blog comments.