SSL authentication certificates

llauber · February 20, 2020, 3:12pm

May be this will help:

elasticsearch.yml:
cluster.name: “k8s-logs”
network.host: 0.0.0.0
opendistro_security.ssl.transport.pemcert_filepath: node.pem
opendistro_security.ssl.transport.pemkey_filepath: node-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: node.pem
opendistro_security.ssl.http.pemkey_filepath: node-key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:
- ‘CN=admin,O=LONUS,L=NewYork,C=US’
opendistro_security.nodes_dn:
- ‘CN=.elasticsearch,O=LON,L=London,C=DE’
- ‘CN=kibana,O=LON,L=London,C=DE’
- 'CN=,O=LON,L=London,C=DE’
- ‘CN=k8s-logs*’
- ‘/CN=.*regex/’
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”]
cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3

volumeMounts:
mountPath: /usr/share/elasticsearch/config/admin.pem
mountPath: /usr/share/elasticsearch/config/admin-key.pem
mountPath: /usr/share/elasticsearch/config/node.pem
mountPath: /usr/share/elasticsearch/config/node-key.pem
mountPath: /usr/share/elasticsearch/config/root-ca.pem
mountPath: /usr/share/elasticsearch/config/root-ca-key.pem
mountPath: /usr/share/elasticsearch/config/elasticsearch.yml

certificates:
openssl genrsa -out admin-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
openssl req -days 3650 -new -key admin-key.pem -out admin.csr -subj “/C=US/L=NewYork/O=LONUS/CN=admin”
openssl x509 -req -days 3650 -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem
openssl genrsa -out node-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in node-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node-key.pem
openssl req -days 3650 -new -key node-key.pem -out node.csr -subj “/C=DE/L=London/O=LON/CN=*.elasticsearch”
openssl x509 -req -days 3650 -in node.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node.pem
openssl genrsa -out kibana-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in kibana-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out kibana-key.pem
openssl req -days 3650 -new -key kibana-key.pem -out kibana.csr -subj “/C=DE/L=London/O=LON/CN=kibana”
openssl x509 -req -days 3650 -in kibana.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out kibana.pem

Topic		Replies	Views
Nodes_dn configuration Open Source Elasticsearch and Kibana	3	3892	August 16, 2019
Encrypted communication between nodes and client Security	8	458	August 9, 2021
SSL Woes with OpenDistro on Docker Security	6	1066	May 31, 2021
TLS configuration with organizational certs Security troubleshoot , configure	2	643	January 21, 2022
Configuring TLS (https) for Kibana only - issue accessing with FQDN Security	1	484	February 3, 2021

SSL authentication certificates

Related topics