If you don’t have access to a certificate authority (CA) for your organization and want to use Open Distro for Elasticsearch for non-demo purposes, you can generate your own self-signed certificates using OpenSSL.
In the above section all the x509 extension that are required should be specified in usrcert section in openssl.cnf usrcert basicConstraints=CA:FALSE nsCertType = client, server, email keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection nsComment = 'OpenSSL.
Use openssl to create an x509 self-signed certificate authority (CA), certificate signing request (CSR), and resulting private key with IP SAN and DNS SAN - create-certs.sh. Openssl req -newkey rsa:2048 -nodes -keyout domain.key-x509 -days 365 -out domain.crt The –days parameter is set to 365, meaning that the certificate is valid for the next 365 days. The x509 parameter indicates that this will be a self-signed certificate. A temporary CSR is generated, and it is used only to gather the necessary information. Openssl ca -config rootca.conf -in pop.csr -out pop.crt -extensions clientext Select the new certificate in the Certificate Details view. To find the PEM file, navigate to the certs folder. After the certificate uploads, select Verify. The CA certificate status should change to Verified. Step 8 - Create a device in your IoT Hub.
You can probably find OpenSSL in the package manager for your operating system.
On CentOS, use Yum:
On macOS, use Homebrew:
Generate a private key
The first step in this process is to generate a private key using the
genrsa command. As the name suggests, you should keep this file private.
Private keys must be of sufficient length to be secure, so specify
You can optionally add the
-aes256 option to encrypt the key using the AES-256 standard. This option requires a password.
Generate a root certificate
Next, use the key to generate a self-signed certificate for the root CA:
-days 30 to 3650 (10 years) or some other number to set a non-default expiration date. The default value of 30 days is best for testing purposes.
-x509option specifies that you want a self-signed certificate rather than a certificate request.
-sha256option sets the hash algorithm to SHA-256. SHA-256 is the default in later versions of OpenSSL, but earlier versions might use SHA-1.
Follow the prompts to specify details for your organization. Together, these details form the distinguished name (DN) of your CA.
Generate an admin certificate
To generate an admin certificate, first create a new key:
Then convert that key to PKCS#8 format for use in Java using a PKCS#12-compatible algorithm (3DES):
Next, create a certificate signing request (CSR). This file acts as an application to a CA for a signed certificate:
Follow the prompts to fill in the details. You don’t need to specify a challenge password. As noted in the OpenSSL Cookbook, “Having a challenge password does not increase the security of the CSR in any way.”
Finally, generate the certificate itself:
Just like the root certificate, use the
-days option to specify an expiration date of longer than 30 days.
(Optional) Generate node and client certificates
Follow the steps in Generate an admin certificate with new file names to generate a new certificate for each node and as many client certificates as you need. Each certificate should use its own private key.
If you generate node certificates and have
opendistro_security.ssl.transport.enforce_hostname_verification set to
true (default), be sure to specify a common name (CN) for the certificate that matches the hostname of the intended node. If you want to use the same node certificate on all nodes (not recommended), set the hostname verification to
false. For more information, see Configure TLS certificates.
If you already know the certificate details and don’t want to specify them as the script runs, use the
-subj option in your
root-ca.pem and CSR commands:
Get distinguished names
If you created admin and node certificates, you must specify their distinguished names (DNs) in
elasticsearch.yml on all nodes:
Openssl X509 Cacreateserial
But if you look at the
subject of the certificate after creating it, you might see different formatting:
If you compare this string to the ones in
elasticsearch.yml above, you can see that you need to invert the order of elements and use commas rather than slashes. Enter this command to get the correct string:
Openssl X509 Cacreateserial
Then you can copy and paste the output into
This process generates many files, but these are the ones you need to add to your cluster configuration:
For information about adding and using these certificates in your own setup, see Docker security configuration and Configure TLS certificates.
After configuring your certificates and starting Elasticsearch, run
securityadmin.sh to initialize the security plugin:
For more information about what this command does, see Apply configuration changes.
If you use Docker, see Bash access to containers.
Openssl X509 Camera
Openssl X509 Case
Depending on your settings in
kibana.yml, you might need to add
root-ca.pem to your Kibana node. You have two options: disable SSL verification or add the root CA.
Disable SSL verification:
Add the root CA: