To configure SSL Certificate in Elasticsearch, the following certificates are needed:
**CA Certificate**
**Admin Certificate**
**Node Certificate**
## Prerequisites:
To configure SSL in elasticsearch, CA Certificate and CA Key is mandatory
Note
Contact your organization for a third-party CA Certificate and CA Key, or use the steps below to generate an SSL Certificate. To run Openssl, go to extracted path and run exe file as an Administrator Example : `
C:\Users\Administrator\Downloads\openssl-1.1.1j-dev\openssl-1.1\x64\bin\openssl.exe`
## Steps to generate self-signed CA Certificate
To generate a private key using the `
genrsa` command. As the name suggests, you should keep this file private.Private keys need to be of sufficient length in order to be secure, so specify `
2048`:
If desired, add the `-aes256` option to encrypt the key using the AES-256 standard. This option requires a password.
Next, use the key to generate a self-signed certificate for the root CA:
Specify details for your organization as prompted. Together, these details form the Distinguished Name (DN) of your CA.
## Steps to generate self-signed Admin certificates:
Run the following commands to generate certificates. Once the certificates are generated, you can find those certificates inside the bin folder. (Eg: C:\Users\Administrator\Downloads\openssl-1.1.1j-dev\openssl-1.1\x64\bin)
To Generate Admin/Node certificate `
openssl> genrsa -out admin-key-temp.pem 2048` `openssl> pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem`To Generate csr file from admin-key.pem file `
openssl> req -new -key adminkey.pem -out admin.csr`To Generate admin.pem file `
openssl> x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem`
Note:
**root-ca.pem** - You can use your CA cert or rename your CA cert file to `
root-ca.pem` **root-ca-key** - You can use your CA key file or rename your CA key file to `root-ca-key.pem`
Using the following command you can find DN `
openssl>x509 -subject -nameopt RFC2253 -noout -in admin.pem` Example : subject= CN=node1.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA Note : You can configure the above DN value in elasticsearch.yml Example : Opendistro_security.authcz.admin_dn: `-CN=node1.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA`Copy all generated certificates [admin.pem, admin-key.pem] to `
C:\SearchBloxServer\elasticsearch\config`.Provide full permissions for certificates in `
C:\SearchBloxServer\elasticsearch\config`
Note:
Right click on PEM file-properties-security-edit(give full permissions)
Go to `
C:\SearchBloxServer\elasticsearch\config` and edit `elasticsearch.yml` and make sure the pem certificate names are properly given.
Example: **opendistro_security.ssl.transport.pemcert_filepath**: admin.pem **opendistro_security.ssl.transport.pemkey_filepath**: admin_key.pem **opendistro_security.ssl.transport.pemtrustedcas_filepath**: root-ca.pem **opendistro_security.ssl.transport.enforce_hostname_verification**: false **opendistro_security.ssl.http.enabled**: true **opendistro_security.ssl.http.pemcert_filepath**: admin.pem **opendistro_security.ssl.http.pemkey_filepath**: admin_key.pem **opendistro_security.ssl.http.pemtrustedcas_filepath**: root-ca.pem **opendistro_security.allow_unsafe_democetificates**: false **opendistro_security.allow_default_init_securiotyindex**: true **opendistro_security.authcz.admin_dn**: -CN=elastic,OU=it,O=searchblox,L=V, C=US **opendistro_security.nodes_dn**: -CN=node1.test.com,OU=dev,O=searchblox,L=chennai,ST=tamilnadu,C=in
Restart the OpenDistro Elasticsearch service and check for SSL updates.
To Check cluster health `
https://localhost:9200/_cluster/health?pretty`Open command prompt and navigate to `
C:\SearchBloxServer\elasticsearch\plugins\opendistro_security\tools` and run the following command to initialize the security plugins: `securityadmin.bat -cd ../securityconfig/ -icl -nhnv -cacert ../../../config/root-ca.pem -cert ../../../config/admin.pem -key ../../../config/admin-key.pem`Start searchblox service.