SSL Certificate in Opensearch

To configure SSL Certificate in Opensearch, the following certificates are

  • CA Certificate
  • Admin Certificate
  • Node Certificate


To configure SSL in opensearch, CA Certificate and CA Key is mandatory



Contact your organization for a third-party CA Certificate and CA Key, or use the steps below to generate an SSL Certificate.
To run Openssl, go to extracted path and run exe file as an Administrator
Example : C:\Users\Administrator\Downloads\openssl-1.1.1j-dev\openssl-1.1\x64\bin\openssl.exe

Steps to generate self-signed CA Certificate

  1. To generate a private key using the genrsa command. As the name suggests, you should keep this file private.
  2. Private keys need to be of sufficient length in order to be secure, so specify 2048:
openssl genrsa -out root-ca-key.pem 2048

If desired, add the -aes256 option to encrypt the key using the AES-256 standard. This option requires a password.

  1. Next, use the key to generate a self-signed certificate for the root CA:
openssl req -new -x509 -sha256 -key root-ca-key.pem -out root-ca.pem
 * The `-x509` option specifies that you want a self-signed certificate rather than a certificate request.
 * The `-sha256` option sets the hash algorithm to SHA-256. SHA-256 is the default in newer versions of OpenSSL, 
    but older versions might use SHA-1.
 * Optionally, add` -days 3650` (10 years) or some other number of days to set an expiration date.
  1. Specify details for your organization as prompted. Together, these details form the Distinguished Name (DN) of your CA.

Steps to generate self-signed Admin certificates:

Run the following commands to generate certificates. Once the certificates are generated, you can find those certificates inside the bin folder.
(Eg: C:\Users\Administrator\Downloads\openssl-1.1.1j-dev\openssl-1.1\x64\bin)

  1. To Generate Admin/Node certificate
    openssl> genrsa -out admin-key-temp.pem 2048
    openssl> pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem

  2. To Generate csr file from admin-key.pem file
    openssl> req -new -key adminkey.pem -out admin.csr

  3. To Generate admin.pem file
    openssl> x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem



root-ca.pem - You can use your CA cert or rename your CA cert file to root-ca.pem
root-ca-key - You can use your CA key file or rename your CA key file to

  1. Using the following command you can find DN
    openssl>x509 -subject -nameopt RFC2253 -noout -in admin.pem
    Example : subject=,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA
    Note : You can configure the above DN value in elasticsearch.yml

  2. Copy all generated certificates [admin.pem, admin-key.pem] to

  3. Provide full permissions for certificates in C:\SearchBloxServer\opensearch\config



Right click on PEM file-properties-security-edit(give full permissions)

  1. Go to C:\SearchBloxServer\opensearch\config and edit opensearch.yml and make
    sure the pem certificate names are properly given.

Example: admin.pem admin_key.pem root-ca.pem false true admin.pem admin_key.pem root-ca.pem true
-CN=elastic,OU=it,O=searchblox,L=V, C=US,OU=dev,O=searchblox,L=chennai,ST=tamilnadu,C=in

  1. Restart the Opensearch service and check for SSL updates.

  2. To Check cluster health

  3. Open command prompt and navigate to
    C:\SearchBloxServer\opensearch\plugins\opensearch_security\tools and run the following
    command to initialize the security plugins:
    securityadmin.bat -cd ../securityconfig/ -icl -nhnv -cacert ../../../config/root-ca.pem -cert ../../../config/admin.pem -key ../../../config/admin-key.pem

  4. Start searchblox service.