SSL configuration for Opensearch with SSL

kiran.su · May 22, 2025, 8:15am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

We are using Bitbucket datacenter 9.4.4 version as per recommendation from Atlassian we are installing 2.18.0 version tar file to install on Linux box.

Describe the issue:

Earlier we were using Elastic search now as per Atlassian recommendation we are moving towards Opensearch.
However we are stuck with certificate, as we have already have keystore PFX file can we utilize the certificate and what configuration steps to be followed.
Also which we run full steps mentioned under topic Configure TLS in the document Tarball - OpenSearch Documentation

and below link for key store shows different steps, bit confusing which one to follow
Configuring TLS certificates - OpenSearch Documentation.

is there any option of quick connect this will help us to fix in quick session.

pablo · May 22, 2025, 5:11pm

@kiran.su Which exact part of the documentation is confusing for you?

kiran.su · May 26, 2025, 11:16am

I am still stuck with SSL part, the document doesn’t make sense need a second Eye to make sure if my understanding is correct.

I am using Generating self-signed certificates - OpenSearch Documentation to generate SSL.

As our Bitbucket has 2 nodes and 1 single separate server where OpenSearch and Fileshare is configured.

Is this step required (Optional) Generate node and client certificates

If not required then what all commands to be run under “Sample script to generate self-signed PEM certificates“ also should we run Clean up commands.

pablo · May 26, 2025, 11:44am

@kiran.su The following certificates are required for the OpenSearch security plugin.

admin certificate - for super-admin user (securityadmin.sh) - client type certificate (EKU - clientAuth)
node certificate - client and server type certificate (EKU - serverAuth, clientAuth)
root certificate

You can generate more than one admin and node certificate. For security reasons number of admin certificates should be limited.
You can have per node certificate or use the same for all nodes. You can have separate certificates for http (EKU - clientAuth) and transport (EKU - serverAuth, clientAuth) communication.

The minimum is 1 node, 1 admin and 1 root certificates.

Regarding the sample script.
In this configuration you have separate node certificates for 2 node clusters, one admin certificate to use with securityadmin.sh, one client certificate to access the OpenSearch cluster as a regular user (certificate authentication must be enabled) and 1 root certificate.
The cleanup part removes only temporary files and csr (Certificate Sigining Request) files. You won’t need them to run security plugin.

kiran.su · May 27, 2025, 7:09am

I am following document however I am getting error while performing below step.

# Import certificates to truststore

Getting below error
[root@xxxxx config]# keytool -importcert -keystore truststore.jks -file root-ca.cer -storepass changeit -trustcacerts -deststoretype pkcs12
keytool error: java.io.FileNotFoundException: root-ca.cer (No such file or directory)
You have new mail in /var/spool/mail/root

pablo · May 27, 2025, 4:37pm

@kiran.su Does the file exist?

Topic		Replies	Views
Opensearch-2.3.0 multinode SSL setup issue Security troubleshoot , configure , install	13	931	December 10, 2022
How to configure the opensearch cluster with self signed certificates step by step OpenSearch configure	5	2369	December 19, 2023
Self signed SSL integration for opensearch Security troubleshoot	3	1025	March 26, 2022
Error in OpenSearch SSL Configuration Security configure	3	2938	March 25, 2022
How to configure Let's encrypt ssl certificate for OpenSearch Dashboard and for data prepper? Security configure	3	1574	September 28, 2023

SSL configuration for Opensearch with SSL

Related topics