TLS certificates & config snippets via sgtlstool


after I stranded to get custom certificates created and configured using opendistro docs :thinking:

To successfully create ones, I went over to the Searchguard documentation and used their Java based offline cert creator tool sgtlstool (Offline TLS Tool | Security for Elasticsearch | Search Guard also available as online version Online TLS Generator | Security for Elasticsearch | Search Guard), this finally worked for me.


After modifying the ‘config/example.yml’ all the certs can be created at once:

search-guard-tlstool-1.7$ tools/ -c config/example.yml -ca -crt -v -o

Another benefit is that you get the config snippets as well


# This is a configuration snippet for the node odfe-node1
# This snippet needs to be inserted into the file config/elasticsearch.yml of the respective node.
# If the config file already contains SearchGuard configuration, this needs to be replaced.
# Furthermore, you need to copy the files referenced below into the same directory.
# Please refer to for further configuration of your installation.

searchguard.ssl.transport.pemcert_filepath: odfe-node1.pem
searchguard.ssl.transport.pemkey_filepath: odfe-node1.key
searchguard.ssl.transport.pemkey_password: thissupposedtobeakeypassword
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: odfe-node1_http.pem
searchguard.ssl.http.pemkey_filepath: odfe-node1_http.key
searchguard.ssl.http.pemkey_password: thissupposedtobeakeypassword
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
- CN=*,OU=CA,O=Example Com\, Inc.,DC=example,DC=com
-,OU=CA,O=Example Com\, Inc.,DC=example,DC=com

The config snippet just requires a small modification to work for opendistro, so everything starting with


has to be replaced by


on linux (GNU sed)

sed -i -- 's/searchguard./opendistro_security./g' *_elasticsearch_config_snippet.yml

on macos (non GNU sed) it is

sed -i '' -e 's/searchguard./opendistro_security./g' *_elasticsearch_config_snippet.yml

sgtlstool fork?

My question to the ODFE team is if this great opensource tool search-guard-tlstool can be forked and modified and included in opendistro → GitHub - floragunncom/search-guard-tlstool: SSL/TLS offline certificate generation and validation tool for Search Guard

changing a few JSON properties in following file should be sufficient:



Why would this happen? I’m not even sure why you used Searchguard to achieve the same thing that ODFE already supports.

Hi @chaos,

I’m not aware of any TLS certificate and config creation tool like sgtlstool that is included in ODFE?
This is very convenient tool in terms of getting custom certificates and more advanced ssl setup.

let us know if there is any better solution than using demo certs or creating certs from scratch via using openssl commands.


1 Like

Sorry @nean
I misunderstood the post here. I thought this was a guide for using TLS in SearchGuard.

Looks good :slightly_smiling_face:

Did you get to fork this? I want to use it in a docker swarm to see if I can generate node certs during deployment

unfortunately, not yet.
but you can use the sgtlstool from searchguard as is and trigger the sed command as mentoined above (feel free to use any other search-and-replace mechanism , eg.: ansible replace ).
that should do the trick for now.