{"id":19403,"date":"2023-11-25T10:51:25","date_gmt":"2023-11-25T07:51:25","guid":{"rendered":"https:\/\/kifarunix.com\/?p=19403"},"modified":"2024-03-10T11:47:19","modified_gmt":"2024-03-10T08:47:19","slug":"generate-wildcard-ssl-certificates-for-elasticsearch","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/generate-wildcard-ssl-certificates-for-elasticsearch\/","title":{"rendered":"Generate Wildcard SSL Certificates for Elasticsearch"},"content":{"rendered":"<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1030\" height=\"573\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/11\/elasticsearc-wildcard-ssl-certs.png\" alt=\"Generate Wildcard SSL Certificates for Elasticsearch\" class=\"wp-image-19414\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/11\/elasticsearc-wildcard-ssl-certs.png 1030w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/11\/elasticsearc-wildcard-ssl-certs-768x427.png 768w\" sizes=\"(max-width: 1030px) 100vw, 1030px\" \/><\/figure><\/div>\n\n\n<p>Is there an easy way to generate wildcard SSL certificates for Elasticsearch? Yes, definitely. The current Elasticsearch releases, Elasticsearch 8.x, when installed, the HTTP and Transport layers are configured with <a href=\"https:\/\/www.elastic.co\/guide\/en\/elasticsearch\/reference\/current\/manually-configure-security.html#security-basic-https-overview\" target=\"_blank\" rel=\"noreferrer noopener\">SSL\/TLS<\/a> certificates automatically by default. The challenge with this however, especially for the HTTP layer, is that a certificate, whose common name is tied to the node&#8217;s hostname and localhost, is generated. If you wanted to use this certificate in the cluster, it will be a bit challenging. Wildcard SSL certificates offer a convenient and effective approach to secure Elasticsearch deployments, enabling seamless encryption across multiple domains or subdomains under a single certificate.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#generating-wildcard-ssl-certificates-for-elasticsearch\">Generating Wildcard SSL Certificates for Elasticsearch<\/a><ul><li><a href=\"#install-and-setup-elasticsearch\">Install and Setup Elasticsearch<\/a><\/li><li><a href=\"#generate-elasticsearch-certificate-authority\">Generate Elasticsearch Certificate Authority<\/a><ul><li><a href=\"#use-existing-ca-files\">Use Existing CA Files<\/a><\/li><li><a href=\"#create-own-elasticsearch-certificate-authority\">Create Own Elasticsearch Certificate Authority<\/a><\/li><\/ul><\/li><li><a href=\"#generating-wildcard-ssl-certificates-for-elasticsearch-1\">Generating Wildcard SSL Certificates for Elasticsearch<\/a><ul><li><a href=\"#using-existing-ca-to-generate-wildcard-certificates\">Using Existing CA to Generate Wildcard Certificates<\/a><\/li><li><a href=\"#using-newly-created-ca-to-generate-wildcard-certificates\">Using Newly Created CA to Generate Wildcard Certificates<\/a><\/li><\/ul><\/li><li><a href=\"#using-commercial-ca-signed-certificates\">Using Commercial CA Signed Certificates<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"generating-wildcard-ssl-certificates-for-elasticsearch\">Generating Wildcard SSL Certificates for Elasticsearch<\/h2>\n\n\n\n<p>Elasticsearch nodes in a cluster communicate with each other through the transport layer via transport protocol on port 9300\/tcp while REST clients such as Beats, Kibana, Logstash or any other client, communicate with Elasticsearch through the HTTP layer via the HTTP protocol on port 9200\/tcp.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-and-setup-elasticsearch\">Install and Setup Elasticsearch<\/h3>\n\n\n\n<p>We assume that you have a running cluster. If not, you can check our guides on how to install and setup ELK stack;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/?s=setup+elk+stack\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Setup ELK Stack<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"generate-elasticsearch-certificate-authority\">Generate Elasticsearch Certificate Authority<\/h3>\n\n\n\n<p>So, you can use existing CA files generated automatically during install or create your own. <\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"use-existing-ca-files\">Use Existing CA Files<\/h4>\n\n\n\n<p>When Elasticsearch 8.x is installed, it automatically enables and configures SSL\/TLS on both the HTTP and Transport layer. In the process, it generates CA and associated certificate files.<\/p>\n\n\n\n<p>The certificate files are stored in the <strong><code>\/etc\/elasticsearch\/certs\/<\/code><\/strong> directory.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ls -1 \/etc\/elasticsearch\/certs\/<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>http_ca.crt\nhttp.p12\ntransport.p12<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>http_ca.crt<\/strong>: This file contains the CA certificate for the Elasticsearch cluster. The CA certificate is used to verify the authenticity of the server certificates that are used by Elasticsearch nodes.<\/li>\n\n\n\n<li><strong>http.p12<\/strong>: The PKCS#12 file contains the server certificate and private key for the HTTP REST interface as well as the CA key.<\/li>\n\n\n\n<li><strong>transport.p12<\/strong>: The PKCS#12 file contains the client certificate and private key for the Transport client interface.<\/li>\n<\/ul>\n\n\n\n<p>Similarly, you can confirm the Elasticsearch configuration;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>less \/etc\/elasticsearch\/elasticsearch.yml<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>...xpack.security.enabled: true\nxpack.security.enrollment.enabled: true\nxpack.security.http.ssl:\n  enabled: true\n  keystore.path: certs\/http.p12\nxpack.security.transport.ssl:\n  enabled: true\n  verification_mode: certificate\n  keystore.path: certs\/transport.p12\n  truststore.path: certs\/transport.p12\n...\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-own-elasticsearch-certificate-authority\">Create Own Elasticsearch Certificate Authority<\/h4>\n\n\n\n<p>You can also create your own Elasticsearch CA. Hence, create a directory to store the certificates if you don\u2019t have one already.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;&#91; -d \/etc\/elasticsearch\/es-certs ]] || mkdir \/etc\/elasticsearch\/es-certs<\/code><\/pre>\n\n\n\n<p>Generate the Certificate Authority (CA). By default, the CA is generated in PKCS#12 format. To generate them in the usual PEM format, pass&nbsp;<strong><code>--pem<\/code><\/strong>&nbsp;option.<\/p>\n\n\n\n<pre class=\"scroll-sz\"><code>\/usr\/share\/elasticsearch\/bin\/elasticsearch-certutil ca \\\n\t--pem \\\n\t--days 3650 \\\n\t--out \/etc\/elasticsearch\/es-certs\/elkstack-ca.zip\n<\/code><\/pre>\n\n\n\n<p>You can as well run the command as below and go through the prompts to generate the CA.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/usr\/share\/elasticsearch\/bin\/elasticsearch-certutil ca<\/code><\/pre>\n\n\n\n<p>The output zip file will contain individual files for the CA certificate and private key<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>unzip -l \/etc\/elasticsearch\/es-certs\/elkstack-ca.zip<\/code><\/pre>\n\n\n\n<pre class=\"scroll-sz\"><code>Archive:  \/etc\/elasticsearch\/es-certs\/elkstack-ca.zip\n  Length      Date    Time    Name\n---------  ---------- -----   ----\n        0  2023-11-24 16:38   ca\/\n     1200  2023-11-24 16:38   ca\/ca.crt\n     1675  2023-11-24 16:38   ca\/ca.key\n---------                     -------\n     2875                     3 files\n<\/code><\/pre>\n\n\n\n<p>Unzip the file to get the CA required to generate the TLS certs.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>unzip -d \/etc\/elasticsearch\/es-certs \/etc\/elasticsearch\/es-certs\/elkstack-ca.zip<\/code><\/pre>\n\n\n\n<pre class=\"scroll-sz\"><code>Archive:  \/etc\/elasticsearch\/es-certs\/elkstack-ca.zip\n   creating: \/etc\/elasticsearch\/es-certs\/ca\/\n  inflating: \/etc\/elasticsearch\/es-certs\/ca\/ca.crt  \n  inflating: \/etc\/elasticsearch\/es-certs\/ca\/ca.key \n<\/code><\/pre>\n\n\n\n<p>You should now have the&nbsp;<strong>ca\/ca.crt<\/strong>&nbsp;and&nbsp;<strong>ca\/ca.key<\/strong>&nbsp;in PEM format in the certs directory as shown above.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"generating-wildcard-ssl-certificates-for-elasticsearch-1\">Generating Wildcard SSL Certificates for Elasticsearch<\/h3>\n\n\n\n<p>Now that you have the CA certificates, you can generate and sign your HTTP certificates for the Elasticseach cluster.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"using-existing-ca-to-generate-wildcard-certificates\">Using Existing CA to Generate Wildcard Certificates<\/h4>\n\n\n\n<p>If you want to use the CA certificates generated automatically during the installation of Elasticsearch to generate wildcard SSL\/TLS certificates for Elasticsearch HTTP interface, then proceed as follows.<\/p>\n\n\n\n<p>The <strong><code>\/etc\/elasticsearch\/certs\/http.p12<\/code><\/strong> file contains the server certificate and private key for the HTTP REST interface as well as the CA key.<\/p>\n\n\n\n<p>However, this certificate will have its common name tied to the FQDN of the Elasticsearch node. This means that, if you have a cluster of nodes, it becomes a challenge on how to define Elasticsearch host name on the clients side if you want to sent logs to other nodes in the cluster.<\/p>\n\n\n\n<p>Example error when you try to connect to ES using Filebeat with the ES host not matching the exact ES node;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>\"message\":\"Failed to connect to backoff(elasticsearch(https:\/\/elk.kifarunix-demo.com:9200)): Get \\\"https:\/\/elk.kifarunix-demo.com:9200\\\": x509: certificate is valid for localhost, es-node01.kifarunix-demo.com, not elk.kifarunix-demo.com\"<\/strong><\/code><\/pre>\n\n\n\n<p>To generate wildcard SSL certificates from the existing CA, then you need to have the CA key.<\/p>\n\n\n\n<p>To get the CA key, you first need to retrieve the password that was used to protect it by executing the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/usr\/share\/elasticsearch\/bin\/elasticsearch-keystore show xpack.security.http.ssl.keystore.secure_password<\/code><\/pre>\n\n\n\n<p>The command will print the Keystore password to standard output.<\/p>\n\n\n\n<p>Once you have the Keystore password, extract the CA key;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl pkcs12 -in \/etc\/elasticsearch\/certs\/http.p12 -nodes<\/code><\/pre>\n\n\n\n<p>You will be prompted to enter the keystore password. Use the one retrieved above.<\/p>\n\n\n\n<p>The command will print keys each with a friendlyName, e.g, <strong><code>friendlyName: http_ca<\/code><\/strong> and     <strong><code>friendlyName: http<\/code><\/strong>. <\/p>\n\n\n\n<pre class=\"scroll-box\"><code>MAC: sha256, Iteration 10000\nMAC length: 32, salt length: 20\nPKCS7 Data\nShrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256\nBag Attributes\n    friendlyName: http_ca\n    localKeyID: 54 69 6D 65 20 31 37 30 30 37 35 38 35 31 39 32 33 39 \nKey Attributes: <No Attributes>\n-----BEGIN PRIVATE KEY-----\nMIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQC4y7ivLZ2UJJqp\n9xKj2q5yWO6RFSXoJo92fNtaVdfu4QULNLSn540Z4nGE+pjkP1u15\/H5mFzQLQQ0\nrNvoZUxGgzmOLmo8eXsY3iyh5Q3suVNfYY3v+zTmFbD6A7f87MKLLSU6ee2ojdFl\nOKT6j00DgmqaPYuqd6CYY7FP2\/3asAiSZC9o48RplvkSRBx4Hda7SpOAzlPDGgcm\nvnWQqf0Nd+TH7Y8M2Cn+\/\/95YVuNOL03kaXeoZixjPK3zWpYCc6nVRQkR5e9ihbf\nWWCBPtJq6nKRkZXWCpE8VsEwI0Pd\/0z5aqqXgM9r7\/YaOABZksYpX0HR49y8SkU2\nC28BMN8X3229Zy2tkdYbGUOaGMuzhb\/ce+SsUZDN43gYNiEcgIxNe11Xp+R0dbwc\nLkolkoYNddSqi75Vem2PsdSLTR4z1xn7BWf7BxP+PY2\/jcvVD4NDNAMDWwKAIW+P\nqBrsJizYFLWBz0p280XI6Vm+4KMfvF9wI6wCA4UdLJBvK6Syh3CaJ\/27ufiFLgQ3\nxlxjY8dmWxAp8rW3pPF00wwcYF6MBjC8uGijga1fgvqjlz9qJqk0\/CK2OGXRQdyK\nNBh+YmYJccrShxh3wPE42S1NTsHNhiaKub6TbBn6ANKAV8luq425buH\/qZhyNBy+\nAP5ewwCF41H0U8eKOycbmmodYhX2QwIDAQABAoICABbv\/TCL8kSdITAk9toCdCdw\nBSIFBKYtgx6AnkmMNjf0aPKHIZVlwbc2IEO9Rz+tjZilUv0EKHZpNV3EcaywRijK\nc65uRx7ShVuvgs1lkmDmcAQle79kkvWsOOy6NsWHgxj7YDpDQCNCgdHql1pyccC\/\nGLRPHLLqvl2r93+jctMI3pzXyqVeVYGLDRzIpNqpTtSt4Q6FOGhoe\/1seUic5kgc\nWvgQnfJI3ThFq6meqAUoxx51Tv1fWYX6\/3WeYwDNLCrLqKsIJ+bi6QvixX5wFHYo\n5lJN8SdBkIgeIe9JBqIw5Ou14w7Ycjvs68M9XZhrW3rEfssABDoVje8IuZ065Qs\/\nXFWFhPKQwkxyhkgcYnthbydI+BRWXSNPm6cfzag08brao9Ozzm6R9+Zj9J4SoH01\nkWaECWbEFk+SZfjxDlUozpSIBmFcRA9crHqGKXqnUrBHNWgd+aqlgt\/kxf0Nd2Qi\nNiLyXO9YMZCS7h7mkXTadHPt+rD+PZubXGYEGQP5LgwQqJ7knxhP\/S0wpdqblOXl\nI79MT6vdKCWEKUyh79sHfDgbTa8VnzALLUme\/PzL8\/zR+TUMTuY7fxYWSGNSoXj5\nbrinxHpyMogeSXD9h\/49Fk8ENjPhIVneQj16q\/JR8+3yB1lcZsTaB5sqcRQCUkvg\nnyqUtSMCsukLfqL0grghAoIBAQDsHobEPD0O5OaiD\/q+0wrDZLdMR7iFygMsjPVE\nzvFcwtytnmDDFuZGoTLK6n3XuamTIDDLAiGQDqA7OgADNmFGS\/Sxq3Br1wlEJ6uK\nEklCGq6+6CVZCEwf10JfVYa8MBTVIBZoR5N6E1hymvtXAV\/XoT09ubXauHxZDaXB\nVbjyUdZ3LsQVPB0AaKN3MTd86nIWl14CbaIPg+0QeZ4M4p1GJ3P+vHaRil4jFQJI\ncPINm1JDYuSvj876UwxvUycX9uR01Ybp9mmMAgVgZWqTOY1DeM+iu0xWjyTjOqI7\nTByTm0FRtwHdVo9j0sn6PDCw0LXPJh+5C0kBDIGO2apX+XpVAoIBAQDIWu8+37rF\nAKZ86ALMJdDgPGhcUiNNWHemy9+9Q\/xQaec+\/xcMArpwhwg7y1hyzDo89qT3\/+Fq\nptL960vqzee9oGnmocTj06Xwl5Mc\/ByKUEwkXLllU0PvYNP87nW2Nx8B1J4IZPrk\ny\/KxcmFe56x3+42\/7o2sDaaLVsTeMQNVBm4h3rdycmbHw925cToKCpo9iecVyNrl\np9rfsCJqQNJymeRpxASNVSM0QiCmFfnvfSPdx0a5WAGIXcLAE8xZWNWB+2XYOC7P\nRpLSZqT1EiPRvwPlSxxjt7g3mvBglpdvqElZt8mbaVTLcvPrhMG\/lAdf5dLjVewi\n9xyCEfzdM\/Y3AoIBACQ9rzuxb0G4+nlHcJoXdGB3NfccTwMh9YjB\/edYyA0Pz6VK\nWNm4yxFuLoico0IYOiHd3\/9YzWP6CrfseBIGJ7oNcHpQsQmsULzIRfkEQ4BE7itZ\nIFpg\/qYoeQR+8RYzXw8zRJ0u10D2dS3qAcfh6x8CnY660WHHzTYx9Q4OpTt0OjHC\n2M\/VkTH93ZEu2bBvn6E+DGzc\/PHasulDcXHS2obpCVHBBYXjMf26fMY3p79U5rR3\nGlij\/wXG93Ki1a5E893G5FVGv\/6AVOjtyATe4YLIqT3194qVn\/jMiBgH3578RnNP\nXpblcU7GDMA+us54yl8IH\/hb9hGWJNCTMiUcop0CggEAFl9BE847tr\/J12y40z7t\nwfw80wJA+uQECFX\/l8y9oeURc1Fcq3SqiOIrIzIjoD35ytDnvuGNtDEIol3hzkhL\ntjrxWFV7\/MynXOQwAy6LqU4qEm1gLlZL4bD4OugNsNka10N8mgdclKvJX9Mb2FMa\nSROH0oS6wRmNHUYFGaJzcs0TAykxZtArdecDHS\/tgS2J55E8gow5FSfXIt8yGJdA\naJeSj9TZhUaadb1kk+ckT3+zv5H+7bdMBIQjuPr8+IUY4jjGOIydfXut7VyU0uDB\nqywfLT1j4CalpV\/hs4ddRZSPDDufgYETfNxLLGNYlyHaaPTqxYPUqFrbjhKgH7sr\npQKCAQAxW3yYgmPjwpyglWtiSwVLs9mTDh4ahRl+FSUwk8ZSwRD1k9APEpoPmEbP\nqyalnv61aQTQN7cbEzgGm0D0t93sRWtEMU7Efq\/kU\/7acvc\/dNJ8p4hRZXxUNNaN\nreZ42\/IssirFJTpTFauxSPtYb\/7R6gIDAxf3J4+lGInIjWwZtvTb406rOKztvMqj\nD8B5Cf9vGrO\/CAjnY87BJNRFBrehhnLNFeh1pbdEMAORibfMxtn7k9EGYRdXSdrN\nXv+Zfn4rcd4zFjtMZ8fjOZXXhansJrmBAwAX9SmFtliD96OaNhEV1+3HLScDoR\/K\n0FZM\/3K5DrR8Ed3vWKqAtEOgi5AK\n-----END PRIVATE KEY-----\nShrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256\nBag Attributes\n    friendlyName: http\n    localKeyID: 54 69 6D 65 20 31 37 30 30 37 35 38 35 31 39 32 36 32 \nKey Attributes: <No Attributes>\n-----BEGIN PRIVATE KEY-----\nMIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC8kJYcWvgzcjRd\nqzMagpo3Op94hNDJ2AX2gKP3V5B1kX4tlbjZxWwGLknfBA\/Sz5fTkle8z\/P0dVCf\nSXuRM9e92RyQoP1gwrPXJ+McFmmgH\/NwETN5aOaTThGmNN756xdyZt9qnxI3pdMs\n\/KUJcBM428YqlY6xFxkFWNQvkNSgC+fujwwmSGUEJ2+WdLO1UUkW2PcanRGrFj5y\nVBu7KaQG9PZ6DFDcdclJQGFnxkJC6eEvWgUxA2vJQUxsfw3+NUdZeXoh3vZ+Nsvw\n0Qw2DP6lZQN3IULw4kgk\/Sf1tPwVVN93QfTtZK899QYwAywKjJQmkCj9oTXQuZMb\nSZgf0ZMgLNpWlluRhUXxXf9GQcVbtL6kFWxxa22wGrWEmmDsd\/\/kn4b47rPKpmu4\niSGqS035xLXV+mutjWzDtZFRvzvI4a4\/va9Q4XCr3oACUDcgpHdOMpEreuaVt6o7\nJdF+W4Sn80FHpsLenfh36meQ4G5LjASF1pdzpMgPJRmz2PtO30afVAQivT3jOPuJ\nv\/szAdIwekTLCuFEPJ3nbCQ7osxIcKUB3z3Zbin7Rr8njeev6WlvWiR3uKso29xG\n80sOLzmYhLGiv6xVR2ESR\/BJ+1TJXUiLn9GNBt1x8xZ3bzZGzFxIHub6nmx+7K9S\nFxJ1i8Y2sjN5bE1+2LBjKRLqhQuOjwIDAQABAoICAEzTJ6WD1q23MOic0KRTY5tu\n0fwbOKmTztIglS03ys5rqZnO71IiYiGeiFBJalz8YSI89Gwj2YPWrDNJkAOXuKVL\nqJywSqs6iGT3hksyQnSPr\/IPwAYOHCsV2pD554KxKotcqFfbWWO8tu4UPPU8aUh4\nGiPNbSZvf60zBLggbNCMKUGDnHKYejeYDZmiEHmmFX4uhXadWc53sJeJ9wZpL7\/5\n29Xb4LIBdzHV\/hl2qBZ1DV7qcUUH3MlRRl7J4RyZ\/mjQ2lakbY78qliCA1SeNL2U\nCzZlIc3ck4ImdjpgM3hJbQY8pBp4NAGtK4kyMaZWoiGYCGtVXASfJvUuJcGI9ESq\nlxKlC+ndLfPmSFT9Yyi+34qIhCBlqpcfwT3aw8tVlVvHeI2rpPjs01s+8YnGJACY\nBapcjNk0GWQZj+HrkLcOs3MUbqdpQbFIggI6US1zAzq3MrfvY03t8Qdzxsiln2nW\n34nKMACAwKRcXeSSnxHE8J50VoWVZ1jaV81RqnvknGxhR4DoSmL9RWB3S9fTD1ff\nqaiGzriqrl88LXqnsqiUDkgdB4brchDs6c3OF06\/WS3oNRGzh\/oAPFN69lTMScMg\nxeFwv+auJW+c4V1Wz4ynwBZiqCy5yep2GXzJqNbl8Ad\/b3hfo\/K4E7mIifS\/4p0H\nrjLpkFkX+9DQS9GIg61xAoIBAQDFlESZdeVRkWXzMOGoYrf4a3PuLiPgq+odbYmI\nXj+kR+0hNYLWviDOxQySyxLScjT7LRuqTd9We8lItHPa\/jfXEsrGkDUIOQ+WBzyd\nW0SbnW0u5c6oJpj6GaQz6rcGpEAlqYgE00Ng5scXRoN\/ntLiHvta0vA9P7v0iA62\nnXbfGeCAaHpkoLRk\/XcDBmpJueUSSJ5cZDUgSfNkLoxOM7\/ZJa5oLWjcylJP\/35d\nwo3yM+A+VaZUW1pSLljzWnDfrEvK3ju7Kz0V9sVBoPAewtciowdp3Mi2MdlLiwLL\nh0YhexDJ20QmEf4QAOOJQKaxqnoI2b3hDhsK9BaXRo+4y3WXAoIBAQD0UfnTamU7\ntnOoIGweWuatJRseD8jP\/8TpiWQ31k1vkaQ1BHOvaN9y66KStJUKOBTJUhf5ArQe\nFZxaA3sxIxHlQitN8yuI5oNOKf42+4BCfE5ZDYn1\/euksd\/LNojHHOijpxoEnTaK\nsHr6+RT3dvbFHzKEYxzxHbUwKPN65qAfd0LBblNLyGuqQP9fyjueV0HgQdFEtxHD\nOEsteCfCYY4nxhTQ\/YOg3hHX6titPmNbVXRnPmjXoCVwM64iNT7HtWuJFQI54pPi\nB0DMH2kfm6njKWI+gMCnKfp3s+0bXDySxHpOn1EKj+wecFiOr\/X4nN+4hBhCQ43f\nAPfEALR1Wv3JAoIBAQCkcNd7Zc07Sykv86IMdEUro7r0JEDGEC8k2PLbpZ2QTDDH\nL\/M6aTmC\/iuNzShYMKd52bwpzPAx2YrYUSAPxv+QqFpOUt1gf6VCN7myObDrV2X0\n311VQ\/KUTV0FvLch9vhQoD3NzktIziorbAur3vMjMaf\/mopKX84+IjMkt\/+khbP9\nC3e6YqphVzeDNAaoX+iQhBIRUXGJ8yJ4YelyeM2WnC8BE7Iv+M\/zNvDkdjWPvK9J\nEh4CHZoZxetQdxh0gMEAEmBiUgVgT2czTRAseft2H3vfFtuSEAELR6JG5MpwuS1q\n42xfxx\/OD\/9QT5etTPaOgTLwqb3GKwrWUurxYZz3AoIBAQCVzCU2wMcs42LqNGbV\n\/bntcxC7T8Y58YHUBk8SBS0ZONzLPN2JMO2\/0kWtWVcAGv5zqQfVvxicUXe5oOTJ\nbc0tGXLfqjaJC3x6UjjxkSZEnV6ULz7lOjhelEi4mckm+8yPeobzSUkFo8rjUhDO\n4XvPxJ7+mJ5IH4TV8GXIdtq6MC8X1gLwNgP9MTjijGYdYTacvv4F+ZDEdyFw0Xjf\nL10veb2NncI0wbODBRSws83LVAu4uYUin6gUsTsU8jx5yfwS4nSo9Qjizrul66RS\nouh4xQjddaepVo2hEwpPejARdLHgvsG7jh6hUxSY974CHnz07tjI2A6GKlu\/Kwd5\n5L4xAoIBABIIJOsPkaMS2Nc3iRz9GweT00QFKoZekUiwrafJa4U8bc9B5gMXja77\nozTZShXDFKxVrvTLsraCUCK4RsFMTQE+pG5Q\/SEt8Lnc6D5VvY1oQu4zdbMsNfaO\nvI3vVB0+IQazDIRLhV6JNCaUZAr8jxnShyz2y4N5ZJYToOp20QT5BB5z2uRdtb9Q\nLrXnUNXS07bOVrBhYoi7pNbrvfiGrbrZ5aInn+NVSKy7Mkav7VaiwfhxMBwhD0kj\nesbwv62ZEoAziXeW95iQxvprroZgEAgUsyZJ\/cHilJ4c5YIkv2en21pGcGEtoWpv\nLc00BYUVRYhNU3H1h6CRQkbnHsNB5X4=\n-----END PRIVATE KEY-----\nPKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256\nCertificate bag\nBag Attributes\n    friendlyName: http_ca\n    localKeyID: 54 69 6D 65 20 31 37 30 30 37 35 38 35 31 39 32 33 39 \nsubject=CN = Elasticsearch security auto-configuration HTTP CA\nissuer=CN = Elasticsearch security auto-configuration HTTP CA\n-----BEGIN CERTIFICATE-----\nMIIFWjCCA0KgAwIBAgIVAO1DvGHBpzPO5OFYO\/ofbzwF\/j0VMA0GCSqGSIb3DQEB\nCwUAMDwxOjA4BgNVBAMTMUVsYXN0aWNzZWFyY2ggc2VjdXJpdHkgYXV0by1jb25m\naWd1cmF0aW9uIEhUVFAgQ0EwHhcNMjMxMTIzMTY1NTE4WhcNMjYxMTIyMTY1NTE4\nWjA8MTowOAYDVQQDEzFFbGFzdGljc2VhcmNoIHNlY3VyaXR5IGF1dG8tY29uZmln\ndXJhdGlvbiBIVFRQIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA\nuMu4ry2dlCSaqfcSo9qucljukRUl6CaPdnzbWlXX7uEFCzS0p+eNGeJxhPqY5D9b\ntefx+Zhc0C0ENKzb6GVMRoM5ji5qPHl7GN4soeUN7LlTX2GN7\/s05hWw+gO3\/OzC\niy0lOnntqI3RZTik+o9NA4Jqmj2LqnegmGOxT9v92rAIkmQvaOPEaZb5EkQceB3W\nu0qTgM5TwxoHJr51kKn9DXfkx+2PDNgp\/v\/\/eWFbjTi9N5Gl3qGYsYzyt81qWAnO\np1UUJEeXvYoW31lggT7SaupykZGV1gqRPFbBMCND3f9M+Wqql4DPa+\/2GjgAWZLG\nKV9B0ePcvEpFNgtvATDfF99tvWctrZHWGxlDmhjLs4W\/3HvkrFGQzeN4GDYhHICM\nTXtdV6fkdHW8HC5KJZKGDXXUqou+VXptj7HUi00eM9cZ+wVn+wcT\/j2Nv43L1Q+D\nQzQDA1sCgCFvj6ga7CYs2BS1gc9KdvNFyOlZvuCjH7xfcCOsAgOFHSyQbyuksodw\nmif9u7n4hS4EN8ZcY2PHZlsQKfK1t6TxdNMMHGBejAYwvLhoo4GtX4L6o5c\/aiap\nNPwitjhl0UHcijQYfmJmCXHK0ocYd8DxONktTU7BzYYmirm+k2wZ+gDSgFfJbquN\nuW7h\/6mYcjQcvgD+XsMAheNR9FPHijsnG5pqHWIV9kMCAwEAAaNTMFEwHQYDVR0O\nBBYEFJ\/4Z6NgEPU7aCUfa5IfIau7hiFaMB8GA1UdIwQYMBaAFJ\/4Z6NgEPU7aCUf\na5IfIau7hiFaMA8GA1UdEwEB\/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAFjA\nZ\/O1ogihsyT\/eV+G+w43gU02ELB8UOtAHBqrnq85DY8IMClZZ27xmimFXXklcDGQ\nO\/FVZoWqIPQzORIOnQSe2BmzRdZ347bVmgSo7kHT4016HsN9VN2hdKfRCGqqjszL\noowLkrg+PloP4XZE4I\/rV68TA+0dKFsop99no1wDW3HZuBJvJpmd\/gkDUxcV87i2\nrRSvhgIc5a6ItSMdw0uOmm3ini5iN7xtEf3E3KD0Vs6Zpwc7WthC5vHp1II1wp3P\nCHd4AAtJkbG2QgPsi10zT6d0g+WQnRkGnTBfwcyQuX5FXqH392+ALKc8R7sKhs10\nwxOifVLCdbMlvuOupF3KaHUQfz2D4BwG\/brIsxkCy8t78T3+IAiiUUHdZIIUkWfq\nm8+PkmhYNPJDUcVa2p7EBBYN1GbYOCZJi6VfCaMYfWb7i\/HwjNY5TAkxH\/aujsy6\nhXHQVkpmiGrUPbSDilcGLbKyCzhSAqvmrA7wSQOGgtlnDaSygNf2HK5nI2ieaHpB\neD6RLuQG2KsRkwaZqCBAHmT2MJgygFnPWz+AJ3CTPJdeEoP9Bm9iJtksdDLk7nRz\n1JTCcSXXSYpa43Xaxt8UaBocuU8KKZbwiKWy7b\/LyBML5fWY91QXDeet7iVhtb5U\nACF5KnFSKyPDtqZ6bRfdPJkNltjsefipnWUl5RC7\n-----END CERTIFICATE-----\nCertificate bag\nBag Attributes\n    friendlyName: http\n    localKeyID: 54 69 6D 65 20 31 37 30 30 37 35 38 35 31 39 32 36 32 \nsubject=CN = es-node01.kifarunix-demo.com\nissuer=CN = Elasticsearch security auto-configuration HTTP CA\n-----BEGIN CERTIFICATE-----\nMIIFuTCCA6GgAwIBAgIUOhxStWo2WwpeI1a+BX\/kXwF74cIwDQYJKoZIhvcNAQEL\nBQAwPDE6MDgGA1UEAxMxRWxhc3RpY3NlYXJjaCBzZWN1cml0eSBhdXRvLWNvbmZp\nZ3VyYXRpb24gSFRUUCBDQTAeFw0yMzExMjMxNjU1MTlaFw0yNTExMjIxNjU1MTla\nMCcxJTAjBgNVBAMTHGVzLW5vZGUwMS5raWZhcnVuaXgtZGVtby5jb20wggIiMA0G\nCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC8kJYcWvgzcjRdqzMagpo3Op94hNDJ\n2AX2gKP3V5B1kX4tlbjZxWwGLknfBA\/Sz5fTkle8z\/P0dVCfSXuRM9e92RyQoP1g\nwrPXJ+McFmmgH\/NwETN5aOaTThGmNN756xdyZt9qnxI3pdMs\/KUJcBM428YqlY6x\nFxkFWNQvkNSgC+fujwwmSGUEJ2+WdLO1UUkW2PcanRGrFj5yVBu7KaQG9PZ6DFDc\ndclJQGFnxkJC6eEvWgUxA2vJQUxsfw3+NUdZeXoh3vZ+Nsvw0Qw2DP6lZQN3IULw\n4kgk\/Sf1tPwVVN93QfTtZK899QYwAywKjJQmkCj9oTXQuZMbSZgf0ZMgLNpWlluR\nhUXxXf9GQcVbtL6kFWxxa22wGrWEmmDsd\/\/kn4b47rPKpmu4iSGqS035xLXV+mut\njWzDtZFRvzvI4a4\/va9Q4XCr3oACUDcgpHdOMpEreuaVt6o7JdF+W4Sn80FHpsLe\nnfh36meQ4G5LjASF1pdzpMgPJRmz2PtO30afVAQivT3jOPuJv\/szAdIwekTLCuFE\nPJ3nbCQ7osxIcKUB3z3Zbin7Rr8njeev6WlvWiR3uKso29xG80sOLzmYhLGiv6xV\nR2ESR\/BJ+1TJXUiLn9GNBt1x8xZ3bzZGzFxIHub6nmx+7K9SFxJ1i8Y2sjN5bE1+\n2LBjKRLqhQuOjwIDAQABo4HHMIHEMB0GA1UdDgQWBBT+8kuJglB+SW8aGfU+6Q6z\neXx57DAfBgNVHSMEGDAWgBSf+GejYBD1O2glH2uSHyGru4YhWjBiBgNVHREEWzBZ\ngglsb2NhbGhvc3SHEAAAAAAAAAAAAAAAAAAAAAGHBH8AAAGHBMCoegyCHGVzLW5v\nZGUwMS5raWZhcnVuaXgtZGVtby5jb22HEP6AAAAAAAAAUFQA\/\/7fREMwCQYDVR0T\nBAIwADATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEAsrlA\nV1F+3qA6lnQIDM4IZdQg6FksDcpgz4XnJgEuzcU2z26Ihk7UU9kOjXR8E\/IhwnrH\nSI9PkU49baQlfi9DyTGGYPd12P2LYW1NQzr5QRTQzqupwAAOonBzUJrMeXENOrOI\nrwQASlNCiWbHVEnDsk0KKmkSdA34hLpbTZidDbjKubkeAvMoOstSxe2svtHLiFa+\nEVQelxZqzZugdPhM9436hi8ZAxfGAad4HFSaQPNP5uIfv9wPP296YDt2fdtQDcq0\nEzBMfnWpfizAlGVA1H9A7BIHW\/dFscarzBOgSEF8WpTU6GwjNscrAfdGpKQ+hpaF\njLjSMNStt1YuO4Hym5rtxEA9JXXq+gmbyevteQBXIAlww3eXR9tsnZANj4GYwovS\nuVOLWRFLXyDXxi08GRzGbWeCS4eFESaATqfvh60xvpsY7QuZAhhj9BqKS1TKU6M9\nuoks7GTrgBMPKxN9eAOxG\/ed0K+\/J5abJAZr3SZ1YJEAMaLZE8jOGndl0x0XjzN8\n4qj7Lv303mMAxbqZbsI1IiaoQceuRr8JEfWBcbtNwoQhOjVM5n7H4qD\/AVUtHpR5\nms7GqsKZjI0zU11sQ2hN81vv1wkKHnWt8OrtHddhv3zyMGxqkXEAFnlPxy\/g2IAf\nurYWFXIwESQJ9+PoNXkZl1UFndjCXaduJgl5PlY=\n-----END CERTIFICATE-----\nCertificate bag\nBag Attributes\n    friendlyName: CN=Elasticsearch security auto-configuration HTTP CA\nsubject=CN = Elasticsearch security auto-configuration HTTP CA\nissuer=CN = Elasticsearch security auto-configuration HTTP CA\n-----BEGIN CERTIFICATE-----\nMIIFWjCCA0KgAwIBAgIVAO1DvGHBpzPO5OFYO\/ofbzwF\/j0VMA0GCSqGSIb3DQEB\nCwUAMDwxOjA4BgNVBAMTMUVsYXN0aWNzZWFyY2ggc2VjdXJpdHkgYXV0by1jb25m\naWd1cmF0aW9uIEhUVFAgQ0EwHhcNMjMxMTIzMTY1NTE4WhcNMjYxMTIyMTY1NTE4\nWjA8MTowOAYDVQQDEzFFbGFzdGljc2VhcmNoIHNlY3VyaXR5IGF1dG8tY29uZmln\ndXJhdGlvbiBIVFRQIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA\nuMu4ry2dlCSaqfcSo9qucljukRUl6CaPdnzbWlXX7uEFCzS0p+eNGeJxhPqY5D9b\ntefx+Zhc0C0ENKzb6GVMRoM5ji5qPHl7GN4soeUN7LlTX2GN7\/s05hWw+gO3\/OzC\niy0lOnntqI3RZTik+o9NA4Jqmj2LqnegmGOxT9v92rAIkmQvaOPEaZb5EkQceB3W\nu0qTgM5TwxoHJr51kKn9DXfkx+2PDNgp\/v\/\/eWFbjTi9N5Gl3qGYsYzyt81qWAnO\np1UUJEeXvYoW31lggT7SaupykZGV1gqRPFbBMCND3f9M+Wqql4DPa+\/2GjgAWZLG\nKV9B0ePcvEpFNgtvATDfF99tvWctrZHWGxlDmhjLs4W\/3HvkrFGQzeN4GDYhHICM\nTXtdV6fkdHW8HC5KJZKGDXXUqou+VXptj7HUi00eM9cZ+wVn+wcT\/j2Nv43L1Q+D\nQzQDA1sCgCFvj6ga7CYs2BS1gc9KdvNFyOlZvuCjH7xfcCOsAgOFHSyQbyuksodw\nmif9u7n4hS4EN8ZcY2PHZlsQKfK1t6TxdNMMHGBejAYwvLhoo4GtX4L6o5c\/aiap\nNPwitjhl0UHcijQYfmJmCXHK0ocYd8DxONktTU7BzYYmirm+k2wZ+gDSgFfJbquN\nuW7h\/6mYcjQcvgD+XsMAheNR9FPHijsnG5pqHWIV9kMCAwEAAaNTMFEwHQYDVR0O\nBBYEFJ\/4Z6NgEPU7aCUfa5IfIau7hiFaMB8GA1UdIwQYMBaAFJ\/4Z6NgEPU7aCUf\na5IfIau7hiFaMA8GA1UdEwEB\/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAFjA\nZ\/O1ogihsyT\/eV+G+w43gU02ELB8UOtAHBqrnq85DY8IMClZZ27xmimFXXklcDGQ\nO\/FVZoWqIPQzORIOnQSe2BmzRdZ347bVmgSo7kHT4016HsN9VN2hdKfRCGqqjszL\noowLkrg+PloP4XZE4I\/rV68TA+0dKFsop99no1wDW3HZuBJvJpmd\/gkDUxcV87i2\nrRSvhgIc5a6ItSMdw0uOmm3ini5iN7xtEf3E3KD0Vs6Zpwc7WthC5vHp1II1wp3P\nCHd4AAtJkbG2QgPsi10zT6d0g+WQnRkGnTBfwcyQuX5FXqH392+ALKc8R7sKhs10\nwxOifVLCdbMlvuOupF3KaHUQfz2D4BwG\/brIsxkCy8t78T3+IAiiUUHdZIIUkWfq\nm8+PkmhYNPJDUcVa2p7EBBYN1GbYOCZJi6VfCaMYfWb7i\/HwjNY5TAkxH\/aujsy6\nhXHQVkpmiGrUPbSDilcGLbKyCzhSAqvmrA7wSQOGgtlnDaSygNf2HK5nI2ieaHpB\neD6RLuQG2KsRkwaZqCBAHmT2MJgygFnPWz+AJ3CTPJdeEoP9Bm9iJtksdDLk7nRz\n1JTCcSXXSYpa43Xaxt8UaBocuU8KKZbwiKWy7b\/LyBML5fWY91QXDeet7iVhtb5U\nACF5KnFSKyPDtqZ6bRfdPJkNltjsefipnWUl5RC7\n-----END CERTIFICATE-----\n<\/code><\/pre>\n\n\n\n<p>The CA key will be the one under the <strong><code>friendlyName: http_ca<\/code><\/strong>. By the way, you can also confirm the common name of the certificate from the output above.<\/p>\n\n\n\n<p>You can copy the CA key (under the <strong><code>friendlyName: http_ca<\/code><\/strong>), anything between <code><strong>-----BEGIN PRIVATE KEY-----<\/strong><\/code> and <strong><code>-----END PRIVATE KEY-----<\/code><\/strong> and store it in a file of your choice, e.g <strong><code>\/etc\/elasticsearch\/certs\/http_ca_key.crt<\/code><\/strong>.<\/p>\n\n\n\n<p>Once you have the CA key, execute the command below to generate wildcard certificates. Answer the prompts accordingly.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/usr\/share\/elasticsearch\/bin\/elasticsearch-certutil http<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Generate a CSR, enter&nbsp;<code>n<\/code>.<\/li>\n\n\n\n<li>Use an existing CA, enter&nbsp;<code>y<\/code>.<\/li>\n\n\n\n<li>Enter the absolute path to your&nbsp;<strong>new<\/strong>&nbsp;CA certificate, such as the path to the&nbsp;<code>\/etc\/elasticsearch\/certs\/http_ca.crt<\/code>&nbsp;file.<\/li>\n\n\n\n<li>Enter the absolute path to your new CA certificate private key, such as the path to the&nbsp;<code>ca.key<\/code>&nbsp;file.<\/li>\n\n\n\n<li>Enter an expiration value for your certificate. You can enter the validity period in years, months, or days. For example, enter&nbsp;<code>5y<\/code>&nbsp;for one year.<\/li>\n\n\n\n<li>When asked if you want to generate one certificate per node, enter&nbsp;n. Here, we need Wildcard SSL\/TLS certs.<\/li>\n\n\n\n<li>When prompted, enter the hostnames, enter all hostnames used to connect to your first node. These hostnames will be added as DNS names in the Subject Alternative Name (SAN) field in your certificate. List every hostname and variant used to connect to your cluster over HTTPS. For the the wildcard certificates, then use a wildcard of your domain, e.g, <strong><code>*.kifarunix-demo.com<\/code><\/strong>. Press ENTER double and confirm the changes<\/li>\n\n\n\n<li>Enter the IP addresses that clients can use to connect to your node. Just press Enter to leave blank.<\/li>\n\n\n\n<li>Confirm if you need to make any changes, if not proceed.<\/li>\n\n\n\n<li>Set keystore password to protect the keys.<\/li>\n\n\n\n<li>Enter the filename into which to save lives.<\/li>\n<\/ul>\n\n\n\n<p>You should now see the certificate files archived in the filename you provided.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>unzip -l \/usr\/share\/elasticsearch\/elasticsearch-ssl-http.zip<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>Archive:  \/usr\/share\/elasticsearch\/elasticsearch-ssl-http.zip\n  Length      Date    Time    Name\n---------  ---------- -----   ----\n        0  2023-11-24 15:03   elasticsearch\/\n     1365  2023-11-24 15:03   elasticsearch\/README.txt\n     4452  2023-11-24 15:03   elasticsearch\/http.p12\n      850  2023-11-24 15:03   elasticsearch\/sample-elasticsearch.yml\n        0  2023-11-24 15:03   kibana\/\n     1306  2023-11-24 15:03   kibana\/README.txt\n     1915  2023-11-24 15:03   kibana\/elasticsearch-ca.pem\n     1057  2023-11-24 15:03   kibana\/sample-kibana.yml\n---------                     -------\n    10945                     8 files\n<\/code><\/pre>\n\n\n\n<p>The wildcard CA file for our domain is the one under Kibana directory in the archive above. You can use that with all clients sending data to Elasticsearch.<\/p>\n\n\n\n<p>The http.p12 will contain the server&#8217;s certificate and keys.<\/p>\n\n\n\n<p>You can extract to your preferred location. You will have two directories, elasticsearch and kibana, each containing the cert\/CA files and a&nbsp;<code>README.txt<\/code>&nbsp;explaining how to use these files.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mkdir \/etc\/elasticsearch\/certs<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>unzip -d \/etc\/elasticsearch\/certs\/ \/usr\/share\/elasticsearch\/elasticsearch-ssl-http.zip<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>chown -R :elasticsearch \/etc\/elasticsearch\/certs\/<\/code><\/pre>\n\n\n\n<p>Configure Elasticsearch, in the cluster to use new wildcard certificates;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim \/etc\/elasticsearch\/elasticsearch.yml<\/code><\/pre>\n\n\n\n<pre class=\"scroll-sz\"><code>...\n# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents\nxpack.security.http.ssl:\n  enabled: true\n#  keystore.path: certs\/http.p12\n<strong>  keystore.path: certs\/elasticsearch\/http.p12<\/strong>\n...\n<\/code><\/pre>\n\n\n\n<p>Save and exit the file.<\/p>\n\n\n\n<p>Restart Elasticsearch.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>systemctl restart elasticsearch<\/code><\/pre>\n\n\n\n<p>Similarly, configure Filebeat, Logstash, Kibana or any other client connecting to Elasticsearch to use the new CA certificate.<\/p>\n\n\n\n<p>You can download the certificate directly on the client from the Elasticsearch using openssl command;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl s_client -connect elk.kifarunix-demo.com:9200 -showcerts | sed -ne '\/-BEGIN CERTIFICATE-\/,\/-END CERTIFICATE-\/p'<\/code><\/pre>\n\n\n\n<p>The save whatever between the <code>-----BEGIN CERTIFICATE-----<\/code> and <code>-----END CERTIFICATE-----<\/code> in a file as ES CA certificate file.<\/p>\n\n\n\n<p>You can run certificate verification against the server. For example;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl s_client -connect elk.kifarunix-demo.com:9200 -CAfile \/etc\/filebeat\/es-ca.crt<\/code><\/pre>\n\n\n\n<p>You should get verification is okay.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>subject=DC = com, CN = kifarunix-demo\n\nissuer=CN = Elasticsearch security auto-configuration HTTP CA\n\n---\nNo client certificate CA names sent\nPeer signing digest: SHA256\nPeer signature type: RSA-PSS\nServer Temp Key: X25519, 253 bits\n---\nSSL handshake has read 3065 bytes and written 400 bytes\nVerification: OK\n---\nNew, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384\nServer public key is 2048 bit\nSecure Renegotiation IS NOT supported\nCompression: NONE\nExpansion: NONE\nNo ALPN negotiated\nEarly data was not sent\nVerify return code: 0 (ok)\n\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"using-newly-created-ca-to-generate-wildcard-certificates\">Using Newly Created CA to Generate Wildcard Certificates<\/h4>\n\n\n\n<p>Our newly generated CA certificate and the key are stored under <strong><code>\/etc\/elasticsearch\/es-certs\/ca\/<\/code><\/strong>.<\/p>\n\n\n\n<p>To generate the wildcard SSL\/TLS Elasticsearch certificates, you can use the <code>\/usr\/share\/elasticsearch\/bin\/elasticsearch-certutil cert<\/code>.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\/usr\/share\/elasticsearch\/bin\/elasticsearch-certutil cert \\\n\t--name elkstack-certs \\\n\t--ca-cert \/etc\/elasticsearch\/es-certs\/ca\/ca.crt \\\n\t--ca-key \/etc\/elasticsearch\/es-certs\/ca\/ca.key \\\n\t--pem \\\n\t--dns '*.kifarunix-demo.com' \\\n\t--days 3650 \\\n\t--out \/etc\/elasticsearch\/es-certs\/elkstack-certs.zip\n<\/code><\/pre>\n\n\n\n<p>If you generated CA in PKCS12 format, then you will need to extract the CA key to allow you create the certificates using the CA.<\/p>\n\n\n\n<p>Once you have the certificates, you can install them accordingly.<\/p>\n\n\n\n<p>Note that if you set the password for your private key while generating the certificates, then you need to add the password to the keystore to the secure settings in Elasticsearch.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\/usr\/share\/elasticsearch\/bin\/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password<\/code><\/pre>\n\n\n\n<p><strong>Ensure the keystore password is same across the cluster<\/strong>!<\/p>\n\n\n\n<p>Similarly, configure your Elasticsearch to use the new CA. If you are using certificates in PEM format, then your Elasticsearch configuration will look like;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>xpack.security.http.ssl:\n  enabled: true\n  key: \/etc\/elasticsearch\/certs\/es-certs\/elkstack-certs.key\n  certificate: \/etc\/elasticsearch\/certs\/es-certs\/elkstack-certs.crt\n  certificate_authorities: \/etc\/elasticsearch\/certs\/ca\/ca.crt\n<\/code><\/pre>\n\n\n\n<p>Configure the clients to use the certificate accordingly.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"using-commercial-ca-signed-certificates\">Using Commercial CA Signed Certificates<\/h3>\n\n\n\n<p>If you have wildcards certs from a commercial CA, then by all means, configure Elasticsreach as well as ES clients to use them.<\/p>\n\n\n\n<p>That brings us to a close of our guide on how to generate wildcard SSL certificates for Elasticsearch.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Is there an easy way to generate wildcard SSL certificates for Elasticsearch? Yes, definitely. The current Elasticsearch releases, Elasticsearch 8.x, when installed, the HTTP and<\/p>\n","protected":false},"author":10,"featured_media":19414,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,910,121,1187],"tags":[7321,7324,7323,7322],"class_list":["post-19403","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-elastic-stack","category-howtos","category-ssl-tls","tag-elasticsearch-wildcard-ssl","tag-generate-wildcard-ssl-for-elasticsearch","tag-use-wildcard-ssl-on-elk","tag-wildcard-ssl-certs-for-elasticsearch","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/19403"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=19403"}],"version-history":[{"count":12,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/19403\/revisions"}],"predecessor-version":[{"id":20870,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/19403\/revisions\/20870"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/19414"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=19403"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=19403"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=19403"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}