Configure HTTPS for Elasticsearch

by Dai (Bato) Quach

1.       Generate CA and key for ELK stack

./bin/elasticsearch-certutil ca

2.       Generate certs and its key for nodes (in the cluster, do the same for each node)

./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

3.       Config the node inter communication - elasticsearch.yml

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

if there is a password for the private key then add it to elasticsearch keystore.

./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password

./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

4.       Generate cert and its key for https config

./bin/elasticsearch-certutil http

It generated elasticsearch-ssl-http.zip file:

/elasticsearch
|_ README.txt
|_ http.p12
|_ sample-elasticsearch.yml

/kibana
|_ README.txt
|_ elasticsearch-ca.pem
|_ sample-kibana.yml

5.       From Elasticsearch, use the key http.p12 from previous step - elasticsearch.yml

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: http.p12

if there is a password for the private key, then add it to elasticsearch keystore.

./bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password

6.       From Kibana, use the cert elasticsearch-ca.pem from the previous step – kibana.yml

elasticsearch.ssl.certificateAuthorities: elasticsearch-ca.pem

elasticsearch.hosts: https://:9200

References:
https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup.html

https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup-https.html