Generate Wildcard SSL Certificates for Elasticsearch

Is there an easy way to generate wildcard SSL certificates for Elasticsearch? Yes, definitely. The current Elasticsearch releases, Elasticsearch 8.x, when installed, the HTTP and Transport layers are configured with SSL/TLS certificates automatically by default. The challenge with this however, especially for the HTTP layer, is that a certificate, whose common name is tied to the node’s hostname and localhost, is generated. If you wanted to use this certificate in the cluster, it will be a bit challenging. Wildcard SSL certificates offer a convenient and effective approach to secure Elasticsearch deployments, enabling seamless encryption across multiple domains or subdomains under a single certificate.

Generating Wildcard SSL Certificates for Elasticsearch

Elasticsearch nodes in a cluster communicate with each other through the transport layer via transport protocol on port 9300/tcp while REST clients such as Beats, Kibana, Logstash or any other client, communicate with Elasticsearch through the HTTP layer via the HTTP protocol on port 9200/tcp.

Install and Setup Elasticsearch

We assume that you have a running cluster. If not, you can check our guides on how to install and setup ELK stack;

Install and Setup ELK Stack

Generate Elasticsearch Certificate Authority

So, you can use existing CA files generated automatically during install or create your own.

Use Existing CA Files

When Elasticsearch 8.x is installed, it automatically enables and configures SSL/TLS on both the HTTP and Transport layer. In the process, it generates CA and associated certificate files.

The certificate files are stored in the /etc/elasticsearch/certs/ directory.

ls -1 /etc/elasticsearch/certs/

http_ca.crt
http.p12
transport.p12

• http_ca.crt: This file contains the CA certificate for the Elasticsearch cluster. The CA certificate is used to verify the authenticity of the server certificates that are used by Elasticsearch nodes.
• http.p12: The PKCS#12 file contains the server certificate and private key for the HTTP REST interface as well as the CA key.
• transport.p12: The PKCS#12 file contains the client certificate and private key for the Transport client interface.

Similarly, you can confirm the Elasticsearch configuration;

less /etc/elasticsearch/elasticsearch.yml

...xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/http.p12
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12
...

Create Own Elasticsearch Certificate Authority

You can also create your own Elasticsearch CA. Hence, create a directory to store the certificates if you don’t have one already.

[[ -d /etc/elasticsearch/es-certs ]] || mkdir /etc/elasticsearch/es-certs

Generate the Certificate Authority (CA). By default, the CA is generated in PKCS#12 format. To generate them in the usual PEM format, pass --pem option.

/usr/share/elasticsearch/bin/elasticsearch-certutil ca \
	--pem \
	--days 3650 \
	--out /etc/elasticsearch/es-certs/elkstack-ca.zip

You can as well run the command as below and go through the prompts to generate the CA.

/usr/share/elasticsearch/bin/elasticsearch-certutil ca

The output zip file will contain individual files for the CA certificate and private key

unzip -l /etc/elasticsearch/es-certs/elkstack-ca.zip

Archive:  /etc/elasticsearch/es-certs/elkstack-ca.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
        0  2023-11-24 16:38   ca/
     1200  2023-11-24 16:38   ca/ca.crt
     1675  2023-11-24 16:38   ca/ca.key
---------                     -------
     2875                     3 files

Unzip the file to get the CA required to generate the TLS certs.

unzip -d /etc/elasticsearch/es-certs /etc/elasticsearch/es-certs/elkstack-ca.zip

Archive:  /etc/elasticsearch/es-certs/elkstack-ca.zip
   creating: /etc/elasticsearch/es-certs/ca/
  inflating: /etc/elasticsearch/es-certs/ca/ca.crt  
  inflating: /etc/elasticsearch/es-certs/ca/ca.key 

You should now have the ca/ca.crt and ca/ca.key in PEM format in the certs directory as shown above.

Generating Wildcard SSL Certificates for Elasticsearch

Now that you have the CA certificates, you can generate and sign your HTTP certificates for the Elasticseach cluster.

Using Existing CA to Generate Wildcard Certificates

If you want to use the CA certificates generated automatically during the installation of Elasticsearch to generate wildcard SSL/TLS certificates for Elasticsearch HTTP interface, then proceed as follows.

The /etc/elasticsearch/certs/http.p12 file contains the server certificate and private key for the HTTP REST interface as well as the CA key.

However, this certificate will have its common name tied to the FQDN of the Elasticsearch node. This means that, if you have a cluster of nodes, it becomes a challenge on how to define Elasticsearch host name on the clients side if you want to sent logs to other nodes in the cluster.

Example error when you try to connect to ES using Filebeat with the ES host not matching the exact ES node;

"message":"Failed to connect to backoff(elasticsearch(https://elk.kifarunix-demo.com:9200)): Get \"https://elk.kifarunix-demo.com:9200\": x509: certificate is valid for localhost, es-node01.kifarunix-demo.com, not elk.kifarunix-demo.com"

To generate wildcard SSL certificates from the existing CA, then you need to have the CA key.

To get the CA key, you first need to retrieve the password that was used to protect it by executing the command below;

/usr/share/elasticsearch/bin/elasticsearch-keystore show xpack.security.http.ssl.keystore.secure_password

The command will print the Keystore password to standard output.

Once you have the Keystore password, extract the CA key;

openssl pkcs12 -in /etc/elasticsearch/certs/http.p12 -nodes

You will be prompted to enter the keystore password. Use the one retrieved above.

The command will print keys each with a friendlyName, e.g, friendlyName: http_ca and friendlyName: http.

MAC: sha256, Iteration 10000
MAC length: 32, salt length: 20
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
Bag Attributes
    friendlyName: http_ca
    localKeyID: 54 69 6D 65 20 31 37 30 30 37 35 38 35 31 39 32 33 39 
Key Attributes: 
-----BEGIN PRIVATE KEY-----
MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQC4y7ivLZ2UJJqp
9xKj2q5yWO6RFSXoJo92fNtaVdfu4QULNLSn540Z4nGE+pjkP1u15/H5mFzQLQQ0
rNvoZUxGgzmOLmo8eXsY3iyh5Q3suVNfYY3v+zTmFbD6A7f87MKLLSU6ee2ojdFl
OKT6j00DgmqaPYuqd6CYY7FP2/3asAiSZC9o48RplvkSRBx4Hda7SpOAzlPDGgcm
vnWQqf0Nd+TH7Y8M2Cn+//95YVuNOL03kaXeoZixjPK3zWpYCc6nVRQkR5e9ihbf
WWCBPtJq6nKRkZXWCpE8VsEwI0Pd/0z5aqqXgM9r7/YaOABZksYpX0HR49y8SkU2
C28BMN8X3229Zy2tkdYbGUOaGMuzhb/ce+SsUZDN43gYNiEcgIxNe11Xp+R0dbwc
LkolkoYNddSqi75Vem2PsdSLTR4z1xn7BWf7BxP+PY2/jcvVD4NDNAMDWwKAIW+P
qBrsJizYFLWBz0p280XI6Vm+4KMfvF9wI6wCA4UdLJBvK6Syh3CaJ/27ufiFLgQ3
xlxjY8dmWxAp8rW3pPF00wwcYF6MBjC8uGijga1fgvqjlz9qJqk0/CK2OGXRQdyK
NBh+YmYJccrShxh3wPE42S1NTsHNhiaKub6TbBn6ANKAV8luq425buH/qZhyNBy+
AP5ewwCF41H0U8eKOycbmmodYhX2QwIDAQABAoICABbv/TCL8kSdITAk9toCdCdw
BSIFBKYtgx6AnkmMNjf0aPKHIZVlwbc2IEO9Rz+tjZilUv0EKHZpNV3EcaywRijK
c65uRx7ShVuvgs1lkmDmcAQle79kkvWsOOy6NsWHgxj7YDpDQCNCgdHql1pyccC/
GLRPHLLqvl2r93+jctMI3pzXyqVeVYGLDRzIpNqpTtSt4Q6FOGhoe/1seUic5kgc
WvgQnfJI3ThFq6meqAUoxx51Tv1fWYX6/3WeYwDNLCrLqKsIJ+bi6QvixX5wFHYo
5lJN8SdBkIgeIe9JBqIw5Ou14w7Ycjvs68M9XZhrW3rEfssABDoVje8IuZ065Qs/
XFWFhPKQwkxyhkgcYnthbydI+BRWXSNPm6cfzag08brao9Ozzm6R9+Zj9J4SoH01
kWaECWbEFk+SZfjxDlUozpSIBmFcRA9crHqGKXqnUrBHNWgd+aqlgt/kxf0Nd2Qi
NiLyXO9YMZCS7h7mkXTadHPt+rD+PZubXGYEGQP5LgwQqJ7knxhP/S0wpdqblOXl
I79MT6vdKCWEKUyh79sHfDgbTa8VnzALLUme/PzL8/zR+TUMTuY7fxYWSGNSoXj5
brinxHpyMogeSXD9h/49Fk8ENjPhIVneQj16q/JR8+3yB1lcZsTaB5sqcRQCUkvg
nyqUtSMCsukLfqL0grghAoIBAQDsHobEPD0O5OaiD/q+0wrDZLdMR7iFygMsjPVE
zvFcwtytnmDDFuZGoTLK6n3XuamTIDDLAiGQDqA7OgADNmFGS/Sxq3Br1wlEJ6uK
EklCGq6+6CVZCEwf10JfVYa8MBTVIBZoR5N6E1hymvtXAV/XoT09ubXauHxZDaXB
VbjyUdZ3LsQVPB0AaKN3MTd86nIWl14CbaIPg+0QeZ4M4p1GJ3P+vHaRil4jFQJI
cPINm1JDYuSvj876UwxvUycX9uR01Ybp9mmMAgVgZWqTOY1DeM+iu0xWjyTjOqI7
TByTm0FRtwHdVo9j0sn6PDCw0LXPJh+5C0kBDIGO2apX+XpVAoIBAQDIWu8+37rF
AKZ86ALMJdDgPGhcUiNNWHemy9+9Q/xQaec+/xcMArpwhwg7y1hyzDo89qT3/+Fq
ptL960vqzee9oGnmocTj06Xwl5Mc/ByKUEwkXLllU0PvYNP87nW2Nx8B1J4IZPrk
y/KxcmFe56x3+42/7o2sDaaLVsTeMQNVBm4h3rdycmbHw925cToKCpo9iecVyNrl
p9rfsCJqQNJymeRpxASNVSM0QiCmFfnvfSPdx0a5WAGIXcLAE8xZWNWB+2XYOC7P
RpLSZqT1EiPRvwPlSxxjt7g3mvBglpdvqElZt8mbaVTLcvPrhMG/lAdf5dLjVewi
9xyCEfzdM/Y3AoIBACQ9rzuxb0G4+nlHcJoXdGB3NfccTwMh9YjB/edYyA0Pz6VK
WNm4yxFuLoico0IYOiHd3/9YzWP6CrfseBIGJ7oNcHpQsQmsULzIRfkEQ4BE7itZ
IFpg/qYoeQR+8RYzXw8zRJ0u10D2dS3qAcfh6x8CnY660WHHzTYx9Q4OpTt0OjHC
2M/VkTH93ZEu2bBvn6E+DGzc/PHasulDcXHS2obpCVHBBYXjMf26fMY3p79U5rR3
Glij/wXG93Ki1a5E893G5FVGv/6AVOjtyATe4YLIqT3194qVn/jMiBgH3578RnNP
XpblcU7GDMA+us54yl8IH/hb9hGWJNCTMiUcop0CggEAFl9BE847tr/J12y40z7t
wfw80wJA+uQECFX/l8y9oeURc1Fcq3SqiOIrIzIjoD35ytDnvuGNtDEIol3hzkhL
tjrxWFV7/MynXOQwAy6LqU4qEm1gLlZL4bD4OugNsNka10N8mgdclKvJX9Mb2FMa
SROH0oS6wRmNHUYFGaJzcs0TAykxZtArdecDHS/tgS2J55E8gow5FSfXIt8yGJdA
aJeSj9TZhUaadb1kk+ckT3+zv5H+7bdMBIQjuPr8+IUY4jjGOIydfXut7VyU0uDB
qywfLT1j4CalpV/hs4ddRZSPDDufgYETfNxLLGNYlyHaaPTqxYPUqFrbjhKgH7sr
pQKCAQAxW3yYgmPjwpyglWtiSwVLs9mTDh4ahRl+FSUwk8ZSwRD1k9APEpoPmEbP
qyalnv61aQTQN7cbEzgGm0D0t93sRWtEMU7Efq/kU/7acvc/dNJ8p4hRZXxUNNaN
reZ42/IssirFJTpTFauxSPtYb/7R6gIDAxf3J4+lGInIjWwZtvTb406rOKztvMqj
D8B5Cf9vGrO/CAjnY87BJNRFBrehhnLNFeh1pbdEMAORibfMxtn7k9EGYRdXSdrN
Xv+Zfn4rcd4zFjtMZ8fjOZXXhansJrmBAwAX9SmFtliD96OaNhEV1+3HLScDoR/K
0FZM/3K5DrR8Ed3vWKqAtEOgi5AK
-----END PRIVATE KEY-----
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
Bag Attributes
    friendlyName: http
    localKeyID: 54 69 6D 65 20 31 37 30 30 37 35 38 35 31 39 32 36 32 
Key Attributes: 
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC8kJYcWvgzcjRd
qzMagpo3Op94hNDJ2AX2gKP3V5B1kX4tlbjZxWwGLknfBA/Sz5fTkle8z/P0dVCf
SXuRM9e92RyQoP1gwrPXJ+McFmmgH/NwETN5aOaTThGmNN756xdyZt9qnxI3pdMs
/KUJcBM428YqlY6xFxkFWNQvkNSgC+fujwwmSGUEJ2+WdLO1UUkW2PcanRGrFj5y
VBu7KaQG9PZ6DFDcdclJQGFnxkJC6eEvWgUxA2vJQUxsfw3+NUdZeXoh3vZ+Nsvw
0Qw2DP6lZQN3IULw4kgk/Sf1tPwVVN93QfTtZK899QYwAywKjJQmkCj9oTXQuZMb
SZgf0ZMgLNpWlluRhUXxXf9GQcVbtL6kFWxxa22wGrWEmmDsd//kn4b47rPKpmu4
iSGqS035xLXV+mutjWzDtZFRvzvI4a4/va9Q4XCr3oACUDcgpHdOMpEreuaVt6o7
JdF+W4Sn80FHpsLenfh36meQ4G5LjASF1pdzpMgPJRmz2PtO30afVAQivT3jOPuJ
v/szAdIwekTLCuFEPJ3nbCQ7osxIcKUB3z3Zbin7Rr8njeev6WlvWiR3uKso29xG
80sOLzmYhLGiv6xVR2ESR/BJ+1TJXUiLn9GNBt1x8xZ3bzZGzFxIHub6nmx+7K9S
FxJ1i8Y2sjN5bE1+2LBjKRLqhQuOjwIDAQABAoICAEzTJ6WD1q23MOic0KRTY5tu
0fwbOKmTztIglS03ys5rqZnO71IiYiGeiFBJalz8YSI89Gwj2YPWrDNJkAOXuKVL
qJywSqs6iGT3hksyQnSPr/IPwAYOHCsV2pD554KxKotcqFfbWWO8tu4UPPU8aUh4
GiPNbSZvf60zBLggbNCMKUGDnHKYejeYDZmiEHmmFX4uhXadWc53sJeJ9wZpL7/5
29Xb4LIBdzHV/hl2qBZ1DV7qcUUH3MlRRl7J4RyZ/mjQ2lakbY78qliCA1SeNL2U
CzZlIc3ck4ImdjpgM3hJbQY8pBp4NAGtK4kyMaZWoiGYCGtVXASfJvUuJcGI9ESq
lxKlC+ndLfPmSFT9Yyi+34qIhCBlqpcfwT3aw8tVlVvHeI2rpPjs01s+8YnGJACY
BapcjNk0GWQZj+HrkLcOs3MUbqdpQbFIggI6US1zAzq3MrfvY03t8Qdzxsiln2nW
34nKMACAwKRcXeSSnxHE8J50VoWVZ1jaV81RqnvknGxhR4DoSmL9RWB3S9fTD1ff
qaiGzriqrl88LXqnsqiUDkgdB4brchDs6c3OF06/WS3oNRGzh/oAPFN69lTMScMg
xeFwv+auJW+c4V1Wz4ynwBZiqCy5yep2GXzJqNbl8Ad/b3hfo/K4E7mIifS/4p0H
rjLpkFkX+9DQS9GIg61xAoIBAQDFlESZdeVRkWXzMOGoYrf4a3PuLiPgq+odbYmI
Xj+kR+0hNYLWviDOxQySyxLScjT7LRuqTd9We8lItHPa/jfXEsrGkDUIOQ+WBzyd
W0SbnW0u5c6oJpj6GaQz6rcGpEAlqYgE00Ng5scXRoN/ntLiHvta0vA9P7v0iA62
nXbfGeCAaHpkoLRk/XcDBmpJueUSSJ5cZDUgSfNkLoxOM7/ZJa5oLWjcylJP/35d
wo3yM+A+VaZUW1pSLljzWnDfrEvK3ju7Kz0V9sVBoPAewtciowdp3Mi2MdlLiwLL
h0YhexDJ20QmEf4QAOOJQKaxqnoI2b3hDhsK9BaXRo+4y3WXAoIBAQD0UfnTamU7
tnOoIGweWuatJRseD8jP/8TpiWQ31k1vkaQ1BHOvaN9y66KStJUKOBTJUhf5ArQe
FZxaA3sxIxHlQitN8yuI5oNOKf42+4BCfE5ZDYn1/euksd/LNojHHOijpxoEnTaK
sHr6+RT3dvbFHzKEYxzxHbUwKPN65qAfd0LBblNLyGuqQP9fyjueV0HgQdFEtxHD
OEsteCfCYY4nxhTQ/YOg3hHX6titPmNbVXRnPmjXoCVwM64iNT7HtWuJFQI54pPi
B0DMH2kfm6njKWI+gMCnKfp3s+0bXDySxHpOn1EKj+wecFiOr/X4nN+4hBhCQ43f
APfEALR1Wv3JAoIBAQCkcNd7Zc07Sykv86IMdEUro7r0JEDGEC8k2PLbpZ2QTDDH
L/M6aTmC/iuNzShYMKd52bwpzPAx2YrYUSAPxv+QqFpOUt1gf6VCN7myObDrV2X0
311VQ/KUTV0FvLch9vhQoD3NzktIziorbAur3vMjMaf/mopKX84+IjMkt/+khbP9
C3e6YqphVzeDNAaoX+iQhBIRUXGJ8yJ4YelyeM2WnC8BE7Iv+M/zNvDkdjWPvK9J
Eh4CHZoZxetQdxh0gMEAEmBiUgVgT2czTRAseft2H3vfFtuSEAELR6JG5MpwuS1q
42xfxx/OD/9QT5etTPaOgTLwqb3GKwrWUurxYZz3AoIBAQCVzCU2wMcs42LqNGbV
/bntcxC7T8Y58YHUBk8SBS0ZONzLPN2JMO2/0kWtWVcAGv5zqQfVvxicUXe5oOTJ
bc0tGXLfqjaJC3x6UjjxkSZEnV6ULz7lOjhelEi4mckm+8yPeobzSUkFo8rjUhDO
4XvPxJ7+mJ5IH4TV8GXIdtq6MC8X1gLwNgP9MTjijGYdYTacvv4F+ZDEdyFw0Xjf
L10veb2NncI0wbODBRSws83LVAu4uYUin6gUsTsU8jx5yfwS4nSo9Qjizrul66RS
ouh4xQjddaepVo2hEwpPejARdLHgvsG7jh6hUxSY974CHnz07tjI2A6GKlu/Kwd5
5L4xAoIBABIIJOsPkaMS2Nc3iRz9GweT00QFKoZekUiwrafJa4U8bc9B5gMXja77
ozTZShXDFKxVrvTLsraCUCK4RsFMTQE+pG5Q/SEt8Lnc6D5VvY1oQu4zdbMsNfaO
vI3vVB0+IQazDIRLhV6JNCaUZAr8jxnShyz2y4N5ZJYToOp20QT5BB5z2uRdtb9Q
LrXnUNXS07bOVrBhYoi7pNbrvfiGrbrZ5aInn+NVSKy7Mkav7VaiwfhxMBwhD0kj
esbwv62ZEoAziXeW95iQxvprroZgEAgUsyZJ/cHilJ4c5YIkv2en21pGcGEtoWpv
Lc00BYUVRYhNU3H1h6CRQkbnHsNB5X4=
-----END PRIVATE KEY-----
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
Certificate bag
Bag Attributes
    friendlyName: http_ca
    localKeyID: 54 69 6D 65 20 31 37 30 30 37 35 38 35 31 39 32 33 39 
subject=CN = Elasticsearch security auto-configuration HTTP CA
issuer=CN = Elasticsearch security auto-configuration HTTP CA
-----BEGIN CERTIFICATE-----
MIIFWjCCA0KgAwIBAgIVAO1DvGHBpzPO5OFYO/ofbzwF/j0VMA0GCSqGSIb3DQEB
CwUAMDwxOjA4BgNVBAMTMUVsYXN0aWNzZWFyY2ggc2VjdXJpdHkgYXV0by1jb25m
aWd1cmF0aW9uIEhUVFAgQ0EwHhcNMjMxMTIzMTY1NTE4WhcNMjYxMTIyMTY1NTE4
WjA8MTowOAYDVQQDEzFFbGFzdGljc2VhcmNoIHNlY3VyaXR5IGF1dG8tY29uZmln
dXJhdGlvbiBIVFRQIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
uMu4ry2dlCSaqfcSo9qucljukRUl6CaPdnzbWlXX7uEFCzS0p+eNGeJxhPqY5D9b
tefx+Zhc0C0ENKzb6GVMRoM5ji5qPHl7GN4soeUN7LlTX2GN7/s05hWw+gO3/OzC
iy0lOnntqI3RZTik+o9NA4Jqmj2LqnegmGOxT9v92rAIkmQvaOPEaZb5EkQceB3W
u0qTgM5TwxoHJr51kKn9DXfkx+2PDNgp/v//eWFbjTi9N5Gl3qGYsYzyt81qWAnO
p1UUJEeXvYoW31lggT7SaupykZGV1gqRPFbBMCND3f9M+Wqql4DPa+/2GjgAWZLG
KV9B0ePcvEpFNgtvATDfF99tvWctrZHWGxlDmhjLs4W/3HvkrFGQzeN4GDYhHICM
TXtdV6fkdHW8HC5KJZKGDXXUqou+VXptj7HUi00eM9cZ+wVn+wcT/j2Nv43L1Q+D
QzQDA1sCgCFvj6ga7CYs2BS1gc9KdvNFyOlZvuCjH7xfcCOsAgOFHSyQbyuksodw
mif9u7n4hS4EN8ZcY2PHZlsQKfK1t6TxdNMMHGBejAYwvLhoo4GtX4L6o5c/aiap
NPwitjhl0UHcijQYfmJmCXHK0ocYd8DxONktTU7BzYYmirm+k2wZ+gDSgFfJbquN
uW7h/6mYcjQcvgD+XsMAheNR9FPHijsnG5pqHWIV9kMCAwEAAaNTMFEwHQYDVR0O
BBYEFJ/4Z6NgEPU7aCUfa5IfIau7hiFaMB8GA1UdIwQYMBaAFJ/4Z6NgEPU7aCUf
a5IfIau7hiFaMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAFjA
Z/O1ogihsyT/eV+G+w43gU02ELB8UOtAHBqrnq85DY8IMClZZ27xmimFXXklcDGQ
O/FVZoWqIPQzORIOnQSe2BmzRdZ347bVmgSo7kHT4016HsN9VN2hdKfRCGqqjszL
oowLkrg+PloP4XZE4I/rV68TA+0dKFsop99no1wDW3HZuBJvJpmd/gkDUxcV87i2
rRSvhgIc5a6ItSMdw0uOmm3ini5iN7xtEf3E3KD0Vs6Zpwc7WthC5vHp1II1wp3P
CHd4AAtJkbG2QgPsi10zT6d0g+WQnRkGnTBfwcyQuX5FXqH392+ALKc8R7sKhs10
wxOifVLCdbMlvuOupF3KaHUQfz2D4BwG/brIsxkCy8t78T3+IAiiUUHdZIIUkWfq
m8+PkmhYNPJDUcVa2p7EBBYN1GbYOCZJi6VfCaMYfWb7i/HwjNY5TAkxH/aujsy6
hXHQVkpmiGrUPbSDilcGLbKyCzhSAqvmrA7wSQOGgtlnDaSygNf2HK5nI2ieaHpB
eD6RLuQG2KsRkwaZqCBAHmT2MJgygFnPWz+AJ3CTPJdeEoP9Bm9iJtksdDLk7nRz
1JTCcSXXSYpa43Xaxt8UaBocuU8KKZbwiKWy7b/LyBML5fWY91QXDeet7iVhtb5U
ACF5KnFSKyPDtqZ6bRfdPJkNltjsefipnWUl5RC7
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
    friendlyName: http
    localKeyID: 54 69 6D 65 20 31 37 30 30 37 35 38 35 31 39 32 36 32 
subject=CN = es-node01.kifarunix-demo.com
issuer=CN = Elasticsearch security auto-configuration HTTP CA
-----BEGIN CERTIFICATE-----
MIIFuTCCA6GgAwIBAgIUOhxStWo2WwpeI1a+BX/kXwF74cIwDQYJKoZIhvcNAQEL
BQAwPDE6MDgGA1UEAxMxRWxhc3RpY3NlYXJjaCBzZWN1cml0eSBhdXRvLWNvbmZp
Z3VyYXRpb24gSFRUUCBDQTAeFw0yMzExMjMxNjU1MTlaFw0yNTExMjIxNjU1MTla
MCcxJTAjBgNVBAMTHGVzLW5vZGUwMS5raWZhcnVuaXgtZGVtby5jb20wggIiMA0G
CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC8kJYcWvgzcjRdqzMagpo3Op94hNDJ
2AX2gKP3V5B1kX4tlbjZxWwGLknfBA/Sz5fTkle8z/P0dVCfSXuRM9e92RyQoP1g
wrPXJ+McFmmgH/NwETN5aOaTThGmNN756xdyZt9qnxI3pdMs/KUJcBM428YqlY6x
FxkFWNQvkNSgC+fujwwmSGUEJ2+WdLO1UUkW2PcanRGrFj5yVBu7KaQG9PZ6DFDc
dclJQGFnxkJC6eEvWgUxA2vJQUxsfw3+NUdZeXoh3vZ+Nsvw0Qw2DP6lZQN3IULw
4kgk/Sf1tPwVVN93QfTtZK899QYwAywKjJQmkCj9oTXQuZMbSZgf0ZMgLNpWlluR
hUXxXf9GQcVbtL6kFWxxa22wGrWEmmDsd//kn4b47rPKpmu4iSGqS035xLXV+mut
jWzDtZFRvzvI4a4/va9Q4XCr3oACUDcgpHdOMpEreuaVt6o7JdF+W4Sn80FHpsLe
nfh36meQ4G5LjASF1pdzpMgPJRmz2PtO30afVAQivT3jOPuJv/szAdIwekTLCuFE
PJ3nbCQ7osxIcKUB3z3Zbin7Rr8njeev6WlvWiR3uKso29xG80sOLzmYhLGiv6xV
R2ESR/BJ+1TJXUiLn9GNBt1x8xZ3bzZGzFxIHub6nmx+7K9SFxJ1i8Y2sjN5bE1+
2LBjKRLqhQuOjwIDAQABo4HHMIHEMB0GA1UdDgQWBBT+8kuJglB+SW8aGfU+6Q6z
eXx57DAfBgNVHSMEGDAWgBSf+GejYBD1O2glH2uSHyGru4YhWjBiBgNVHREEWzBZ
gglsb2NhbGhvc3SHEAAAAAAAAAAAAAAAAAAAAAGHBH8AAAGHBMCoegyCHGVzLW5v
ZGUwMS5raWZhcnVuaXgtZGVtby5jb22HEP6AAAAAAAAAUFQA//7fREMwCQYDVR0T
BAIwADATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEAsrlA
V1F+3qA6lnQIDM4IZdQg6FksDcpgz4XnJgEuzcU2z26Ihk7UU9kOjXR8E/IhwnrH
SI9PkU49baQlfi9DyTGGYPd12P2LYW1NQzr5QRTQzqupwAAOonBzUJrMeXENOrOI
rwQASlNCiWbHVEnDsk0KKmkSdA34hLpbTZidDbjKubkeAvMoOstSxe2svtHLiFa+
EVQelxZqzZugdPhM9436hi8ZAxfGAad4HFSaQPNP5uIfv9wPP296YDt2fdtQDcq0
EzBMfnWpfizAlGVA1H9A7BIHW/dFscarzBOgSEF8WpTU6GwjNscrAfdGpKQ+hpaF
jLjSMNStt1YuO4Hym5rtxEA9JXXq+gmbyevteQBXIAlww3eXR9tsnZANj4GYwovS
uVOLWRFLXyDXxi08GRzGbWeCS4eFESaATqfvh60xvpsY7QuZAhhj9BqKS1TKU6M9
uoks7GTrgBMPKxN9eAOxG/ed0K+/J5abJAZr3SZ1YJEAMaLZE8jOGndl0x0XjzN8
4qj7Lv303mMAxbqZbsI1IiaoQceuRr8JEfWBcbtNwoQhOjVM5n7H4qD/AVUtHpR5
ms7GqsKZjI0zU11sQ2hN81vv1wkKHnWt8OrtHddhv3zyMGxqkXEAFnlPxy/g2IAf
urYWFXIwESQJ9+PoNXkZl1UFndjCXaduJgl5PlY=
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
    friendlyName: CN=Elasticsearch security auto-configuration HTTP CA
subject=CN = Elasticsearch security auto-configuration HTTP CA
issuer=CN = Elasticsearch security auto-configuration HTTP CA
-----BEGIN CERTIFICATE-----
MIIFWjCCA0KgAwIBAgIVAO1DvGHBpzPO5OFYO/ofbzwF/j0VMA0GCSqGSIb3DQEB
CwUAMDwxOjA4BgNVBAMTMUVsYXN0aWNzZWFyY2ggc2VjdXJpdHkgYXV0by1jb25m
aWd1cmF0aW9uIEhUVFAgQ0EwHhcNMjMxMTIzMTY1NTE4WhcNMjYxMTIyMTY1NTE4
WjA8MTowOAYDVQQDEzFFbGFzdGljc2VhcmNoIHNlY3VyaXR5IGF1dG8tY29uZmln
dXJhdGlvbiBIVFRQIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
uMu4ry2dlCSaqfcSo9qucljukRUl6CaPdnzbWlXX7uEFCzS0p+eNGeJxhPqY5D9b
tefx+Zhc0C0ENKzb6GVMRoM5ji5qPHl7GN4soeUN7LlTX2GN7/s05hWw+gO3/OzC
iy0lOnntqI3RZTik+o9NA4Jqmj2LqnegmGOxT9v92rAIkmQvaOPEaZb5EkQceB3W
u0qTgM5TwxoHJr51kKn9DXfkx+2PDNgp/v//eWFbjTi9N5Gl3qGYsYzyt81qWAnO
p1UUJEeXvYoW31lggT7SaupykZGV1gqRPFbBMCND3f9M+Wqql4DPa+/2GjgAWZLG
KV9B0ePcvEpFNgtvATDfF99tvWctrZHWGxlDmhjLs4W/3HvkrFGQzeN4GDYhHICM
TXtdV6fkdHW8HC5KJZKGDXXUqou+VXptj7HUi00eM9cZ+wVn+wcT/j2Nv43L1Q+D
QzQDA1sCgCFvj6ga7CYs2BS1gc9KdvNFyOlZvuCjH7xfcCOsAgOFHSyQbyuksodw
mif9u7n4hS4EN8ZcY2PHZlsQKfK1t6TxdNMMHGBejAYwvLhoo4GtX4L6o5c/aiap
NPwitjhl0UHcijQYfmJmCXHK0ocYd8DxONktTU7BzYYmirm+k2wZ+gDSgFfJbquN
uW7h/6mYcjQcvgD+XsMAheNR9FPHijsnG5pqHWIV9kMCAwEAAaNTMFEwHQYDVR0O
BBYEFJ/4Z6NgEPU7aCUfa5IfIau7hiFaMB8GA1UdIwQYMBaAFJ/4Z6NgEPU7aCUf
a5IfIau7hiFaMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAFjA
Z/O1ogihsyT/eV+G+w43gU02ELB8UOtAHBqrnq85DY8IMClZZ27xmimFXXklcDGQ
O/FVZoWqIPQzORIOnQSe2BmzRdZ347bVmgSo7kHT4016HsN9VN2hdKfRCGqqjszL
oowLkrg+PloP4XZE4I/rV68TA+0dKFsop99no1wDW3HZuBJvJpmd/gkDUxcV87i2
rRSvhgIc5a6ItSMdw0uOmm3ini5iN7xtEf3E3KD0Vs6Zpwc7WthC5vHp1II1wp3P
CHd4AAtJkbG2QgPsi10zT6d0g+WQnRkGnTBfwcyQuX5FXqH392+ALKc8R7sKhs10
wxOifVLCdbMlvuOupF3KaHUQfz2D4BwG/brIsxkCy8t78T3+IAiiUUHdZIIUkWfq
m8+PkmhYNPJDUcVa2p7EBBYN1GbYOCZJi6VfCaMYfWb7i/HwjNY5TAkxH/aujsy6
hXHQVkpmiGrUPbSDilcGLbKyCzhSAqvmrA7wSQOGgtlnDaSygNf2HK5nI2ieaHpB
eD6RLuQG2KsRkwaZqCBAHmT2MJgygFnPWz+AJ3CTPJdeEoP9Bm9iJtksdDLk7nRz
1JTCcSXXSYpa43Xaxt8UaBocuU8KKZbwiKWy7b/LyBML5fWY91QXDeet7iVhtb5U
ACF5KnFSKyPDtqZ6bRfdPJkNltjsefipnWUl5RC7
-----END CERTIFICATE-----

The CA key will be the one under the friendlyName: http_ca. By the way, you can also confirm the common name of the certificate from the output above.

You can copy the CA key (under the friendlyName: http_ca), anything between -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- and store it in a file of your choice, e.g /etc/elasticsearch/certs/http_ca_key.crt.

Once you have the CA key, execute the command below to generate wildcard certificates. Answer the prompts accordingly.

/usr/share/elasticsearch/bin/elasticsearch-certutil http

• Generate a CSR, enter n.
• Use an existing CA, enter y.
• Enter the absolute path to your new CA certificate, such as the path to the /etc/elasticsearch/certs/http_ca.crt file.
• Enter the absolute path to your new CA certificate private key, such as the path to the ca.key file.
• Enter an expiration value for your certificate. You can enter the validity period in years, months, or days. For example, enter 5y for one year.
• When asked if you want to generate one certificate per node, enter n. Here, we need Wildcard SSL/TLS certs.
• When prompted, enter the hostnames, enter all hostnames used to connect to your first node. These hostnames will be added as DNS names in the Subject Alternative Name (SAN) field in your certificate. List every hostname and variant used to connect to your cluster over HTTPS. For the the wildcard certificates, then use a wildcard of your domain, e.g, *.kifarunix-demo.com. Press ENTER double and confirm the changes
• Enter the IP addresses that clients can use to connect to your node. Just press Enter to leave blank.
• Confirm if you need to make any changes, if not proceed.
• Set keystore password to protect the keys.
• Enter the filename into which to save lives.

You should now see the certificate files archived in the filename you provided.

unzip -l /usr/share/elasticsearch/elasticsearch-ssl-http.zip

Archive:  /usr/share/elasticsearch/elasticsearch-ssl-http.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
        0  2023-11-24 15:03   elasticsearch/
     1365  2023-11-24 15:03   elasticsearch/README.txt
     4452  2023-11-24 15:03   elasticsearch/http.p12
      850  2023-11-24 15:03   elasticsearch/sample-elasticsearch.yml
        0  2023-11-24 15:03   kibana/
     1306  2023-11-24 15:03   kibana/README.txt
     1915  2023-11-24 15:03   kibana/elasticsearch-ca.pem
     1057  2023-11-24 15:03   kibana/sample-kibana.yml
---------                     -------
    10945                     8 files

The wildcard CA file for our domain is the one under Kibana directory in the archive above. You can use that with all clients sending data to Elasticsearch.

The http.p12 will contain the server’s certificate and keys.

You can extract to your preferred location. You will have two directories, elasticsearch and kibana, each containing the cert/CA files and a README.txt explaining how to use these files.

mkdir /etc/elasticsearch/certs

unzip -d /etc/elasticsearch/certs/ /usr/share/elasticsearch/elasticsearch-ssl-http.zip

chown -R :elasticsearch /etc/elasticsearch/certs/

Configure Elasticsearch, in the cluster to use new wildcard certificates;

vim /etc/elasticsearch/elasticsearch.yml

...
# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
  enabled: true
#  keystore.path: certs/http.p12
  keystore.path: certs/elasticsearch/http.p12
...

Save and exit the file.

Restart Elasticsearch.

systemctl restart elasticsearch

Similarly, configure Filebeat, Logstash, Kibana or any other client connecting to Elasticsearch to use the new CA certificate.

You can download the certificate directly on the client from the Elasticsearch using openssl command;

openssl s_client -connect elk.kifarunix-demo.com:9200 -showcerts | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

The save whatever between the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- in a file as ES CA certificate file.

You can run certificate verification against the server. For example;

openssl s_client -connect elk.kifarunix-demo.com:9200 -CAfile /etc/filebeat/es-ca.crt

You should get verification is okay.

subject=DC = com, CN = kifarunix-demo

issuer=CN = Elasticsearch security auto-configuration HTTP CA

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3065 bytes and written 400 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

Using Newly Created CA to Generate Wildcard Certificates

Our newly generated CA certificate and the key are stored under /etc/elasticsearch/es-certs/ca/.

To generate the wildcard SSL/TLS Elasticsearch certificates, you can use the /usr/share/elasticsearch/bin/elasticsearch-certutil cert.

/usr/share/elasticsearch/bin/elasticsearch-certutil cert \
	--name elkstack-certs \
	--ca-cert /etc/elasticsearch/es-certs/ca/ca.crt \
	--ca-key /etc/elasticsearch/es-certs/ca/ca.key \
	--pem \
	--dns '*.kifarunix-demo.com' \
	--days 3650 \
	--out /etc/elasticsearch/es-certs/elkstack-certs.zip

If you generated CA in PKCS12 format, then you will need to extract the CA key to allow you create the certificates using the CA.

Once you have the certificates, you can install them accordingly.

Note that if you set the password for your private key while generating the certificates, then you need to add the password to the keystore to the secure settings in Elasticsearch.

/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password

Ensure the keystore password is same across the cluster!

Similarly, configure your Elasticsearch to use the new CA. If you are using certificates in PEM format, then your Elasticsearch configuration will look like;

xpack.security.http.ssl:
  enabled: true
  key: /etc/elasticsearch/certs/es-certs/elkstack-certs.key
  certificate: /etc/elasticsearch/certs/es-certs/elkstack-certs.crt
  certificate_authorities: /etc/elasticsearch/certs/ca/ca.crt

Configure the clients to use the certificate accordingly.

Using Commercial CA Signed Certificates

If you have wildcards certs from a commercial CA, then by all means, configure Elasticsreach as well as ES clients to use them.

That brings us to a close of our guide on how to generate wildcard SSL certificates for Elasticsearch.