Requirements
-
Elasticsearch & Kibana Free Tier (non-oss)
-
Either:
-
.pk12 SSL certificate (preferred)
-
Generate a self-signed certificate with Elasticsearch
-
Steps for existing PK12 certificate
-
Create a folder called “certs” in
..\indexer\config\-
You should now have the path
..\indexer\config\certs
-
-
Add the following to
elasticsearch.yml
Replaceelastic-certificates.p12with the organizations.p12filexpack.security.http.ssl.enabled: true xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12 xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12
-
If the certificate has a password:
-
Open
CMD -
Use the
cdcommand to navigate into..\indexer\bin -
Run the following two commands, and provide the password each time
elasticsearch-keystore.bat add xpack.security.http.ssl.keystore.secure_password elasticsearch-keystore.bat add xpack.security.http.ssl.truststore.secure_password
-
-
Restart Elasticsearch
Steps for generating a self-signed certificate with Elasticsearch
-
Create a folder called “certs” in
..\indexer\config\-
You should now have the path
..\indexer\config\certs
-
-
Open
CMDandcdto..\indexer\bin -
Run the following to initiate key generation:
elasticsearch-certutil.bat ca
-
Provide a name (that ends in .pk12) or press enter to use the default
elastic-stack-ca.p12 -
Enter the desired password for the certificate (optional)
-
There will be a new file in
..\indexer\bincalledelastic-stack-ca.p12, copy that file into..\indexer\config\certs -
Add the following to
elasticsearch.ymlxpack.security.http.ssl.enabled: true xpack.security.http.ssl.keystore.path: certs/elastic-stack-ca.p12 xpack.security.http.ssl.truststore.path: certs/elastic-stack-ca.p12
-
If the certificate has a password:
-
Open
CMD -
Use the
cdcommand to navigate into..\indexer\bin -
Run the following command, and provide the password for the key
elasticsearch-keystore.bat add xpack.security.http.ssl.keystore.secure_password elasticsearch-keystore.bat add xpack.security.http.ssl.truststore.secure_password
-
-
Restart Elasticsearch
Adjust Kibana Config for SSL Elasticsearch
Now that Elasticsearch is on SSL, Kibana’s config will need to be updated to work with HTTPS
-
Change
elasticsearch.hostsURL to https and uncomment the line if commented
eg.elasticsearch.hosts: ["https://localhost:9200"] -
If the certificate is self-signed, you will need to tell Kibana that it is okay to proceed. Modify
elasticsearch.ssl.verificationModeto none
eg.elasticsearch.ssl.verificationMode: none -
Restart Kibana
Now that Elasticsearch is on https/SSL, all nodes in the cluster will need to be updated with the cert. You will need to use the same commands for elasticsearch-keystore.bat, and make the same modifications to the elasticsearch.yml files.
If the crawler is on a different machine than the index, you will need to install those certificates on that machine as well.
Reference
https://www.elastic.co/guide/en/elasticsearch/reference/6.8/configuring-tls.html#node-certificates