How many certs should I generate for a cluster of 3 els nodes?

I have an els cluster consisting of 3 nodes. So far I have generated 1 root cert, 1 admin cert and 1 node cert. Should I only need to create 2 more node certs for the other 2 nodes or should I be creating a set of 3 certs for each node (i.e. 1 root, 1 admin and 1 node PER node)?

Every node should have a node certificate. The root certificate is used for signing the node and admin certificates. Admin certificate is used when running the .

Ah okay.
So 1 root, 1 admin and 3 node certs. Would I need to transfer all certs onto each node or will I just need it on one? Just asking because I wasn’t entirely sure if the elasticsearch,yml would be the exact same on each node (in terms of defining the admin and node certs)

I think you defined your admin cert in elasticsearch.yml so you should deploy the admin cert on every nodes.

Your certs are defined in elasticsearch.yml so they should be present on the node, or every nodes have access to a shared storage, but maybe there is network disruptions and lags.
So every node should have 1 root cert, 1 admin cert and his personal cert (or its a specific cert that is common to every nodes, less security, verify certs turned off then)


1 Like

Hmm okay. For some reason I ended up generating 1 root, 1 admin and 3 node certs on all 3 separate node servers which doesn’t really make sense.
I should have just generated 3 certs on EACH els server right? (1 root, 1 admin and 1 node cert)?
Also is it necessary to generate the certs with SAN? Because when generating them, I’d entered the hostnames for the Common Name (CN) and made sure to set the ‘opendistro_security.ssl.transport.enforce_hostname_verification’ attribute = true in elasticsearch.yml

I just haven’t been able to run ./ in this prod environment yet because ‘OpenDistro Security has not been initialized’. When I try to check cluster health I see the same message.

Sorry I wasn’t clear enough !
Root and admin cert are the same in the whole cluster.
Admin is like an account with admins rights, so you can perform administration API calls to your cluster. You can have multiple admin certs/accounts as you wish but you will have to set them in elasticsearch.yml in every node.

Yes I had troubles, you clearly need SAN. You should put localhost because that is what they ask if I remember, but in my company it’s forbidden so we don’t verify certs just trying the best to make it works… haha we put hostnames in SAN.

1 Like

Okay - I’ll generate with SAN this time. And I’ll need to copy the root and admin certs over to the other 2 nodes or is it okay to keep root, admin and node 1 cert on master node and then the node 2 cert on Node 2 server and node 3 cert on node 3 server?

You need to copy root every where, it’s your root certificate, it authenticates all your others certs !
Admin it depends if you setted it in elasticsearch.yml.
But normally your elasticsearch.yml are similar, so yeah deploy all certs every where.

So each node should have 3 certs.