OpenSearch TLS creating CSR and after that creat a SAM, What us SAM?

Sorry to bother you but I’m fighting with the certificates and reading documentation and I wanted to know if you could explain this to me about creating an alternative SAN name and etc. Come at this address: OpenSearch documentation - OpenSearch documentation generate-certificates/
I copy the paragraph that I do not understand, it is still very simple but I hope you know how to apologize:
Next, create the CSR:

openssl req -new -key node1-key.pem -out node1.csr
For all host and client certificates, you must specify a Subject Alternative Name (SAN) to ensure compliance with RFC 2818 (HTTP over TLS). The SAN must match the corresponding CN for both to refer to the same DNS A record.

Before generating a signed certificate, create a SAN extension file that describes the DNS A record for the host:

echo ‘subjectAltName=DNS:node1.dns.a-record’ > node1.ext
Generate the certificate:

openssl x509 -req -in node1.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node1.pem -days 730 -extfile node1.ext

It is supposed that I have created the self-signed certificate of the certifying authority, then the administrator certificate and then I am with the ones of the clients/nodes, but after creating the CSR of the clients it gives me the idea of creating a SAN and I do not understand what it should to put that SAN, if it is the IP, if it is the machine name.
I’m with OpenSearch but the idea is to encrypt GRAYLOG using OpenSearch.

A greeting and a thousand thanks and excuse me.
I hope anybody can help me.

Hi @jomaguca

SAN is not a mandatory field. If you use CN for identifing trusted certificate, you can skip SAN.

SAN is used for storing some values. Security plugin use the following SAN values:
OIDName, hostname, IPAddress, DNSName.

OIDName value is used to identify trusted node certificates. The default value for OIDName is 1.2.3.4.5.5

The example with hostnames and IP addresses in SAN section you can find here:
https://opensearch.org/docs/latest/troubleshoot/tls/#check-san-hostnames-and-ip-addresses

The example with 2 values for node1.ext file:

echo 'subjectAltName=DNSName:node1.dns.a-record,IPAddress:127.0.0.1' > node1.ext
1 Like