How to configure the opensearch cluster with self signed certificates step by step

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Opensearch version 2.8.0

Describe the issue:

Hi Team, Hope you are all doing good
Can you please give me a overall step by step process on how to implement a self signed certificate within the opensearch cluster and opensearch dashboard.
Currently its running with http set to false and I want to enable it.

Thank you for the help

Hi @raj1209 , Have checked this: Configuring TLS certificates - OpenSearch documentation

hi @Mantas Thank you for the documentation
I’m new to concept of configuring TLS on cluster level.

My cluster consists of 4 hot node and 1 warm and 1 master node

Scenario :

I have an scenario where I have to receive logs from Logstash ( which is at different AWS account ) and send it directly to our opensearch cluster with TLS

So I have copied the root certificate to logstash output and to receive in one of the hot nodes in cluster
for that hot node ( example hot node 2 ) to receive encrypted logs, this setting must be true true.

if this setting is enabled only on hot node 2 sometimes the cluster formation fails.
and I presume this setting activates both REST and Transport layer as well
I want one of the hot node to receive from logstash securely and is it possible to run the cluster without encrypted node to node communication ?

if its not possible, I have certain doubts while creating and configuring certificates
in all nodes

Lets say
I have 4 nodes
Hot node 1 - host name :
hot node 2 - host name :
Hot node 3 - host name :
hot node 4 - host name :

I am using openssl to generate certificates of root, node and client certificate.

on hot node 1, I have been generating all this certificate as shown in documentation.

Step 1: This command generates root-ca-key.pem

openssl genrsa -out root-ca-key.pem 2048

Step 2 : This command generates root CA

openssl req -new -x509 -sha256 -key root-ca-key.pem -out root-ca.pem -days 730

Q1 : While executing this command its ask for a CN , should I give the hot node1 host name ( ) since I’m generating these certifcates on that node ???
Above command generates root certificate “” root-ca.pem

Step 3: Generate an admin csr

Below commands generate admin-key.pem

openssl genrsa -out admin-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem

While creating a CSR with below command

openssl req -new -key admin-key.pem -out admin.csr

Q2) it asks for CN ( common Name ) ? , What should I put it here, the same hot node1 hostname or juts any random name which I have to remember ??? or is it like a common name for nodes to communicate within

Step 4: Generate admin certificate

openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 730

Step 5 : Generate node certificate
In node certificate

Q3 ) For all host and client certificates, you should specify a subject alternative name (SAN) to ensure compliance with RFC 2818 (HTTP Over TLS). The SAN should match the corresponding CN so that both refer to the same DNS A record.

I did not understand, above statement

**while generating a node or client certificates, **
SAN will be the node hostnames and how does that corresponsing CN will match ???

I know this is a lot of questions, it would really helpful for me to understand and set up whole without any questions in mind

Thank you for reading this whole bunch of question and thanks for your patience

Please help me out on this

Hi Team, please do help me on this
Thank you

One thing to keep in mind when dealing with CN(s)/DN(s) you will have to match DN(s) in your opensearch.yml as per Generating self-signed certificates - OpenSearch documentation
  - 'CN=node1.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
  - 'CN=node2.dns.a-record,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'

You can find steps on how to generate self-signed certificates with a sample script (that references distinguished names in the opensearch.yml section called " Add distinguished names to opensearch.yml" )

Please see it here: Generating self-signed certificates - OpenSearch documentation