How to Secure Your Elasticsearch Cluster with Wildcard SSL/TLS Certificates: A Step-by-Step Guide
Protecting the data within your Elasticsearch cluster is not just a best practice; it’s a critical security requirement. Unencrypted communication between nodes or from clients leaves your data vulnerable to interception. One of the most efficient ways to lock down your cluster is by implementing Transport Layer Security (TLS) using wildcard certificates.
This guide will walk you through the process of generating and configuring wildcard SSL/TLS certificates to encrypt all traffic within your Elasticsearch environment.
Why Use a Wildcard Certificate for Elasticsearch?
As your Elasticsearch cluster grows, managing individual SSL certificates for each node becomes a significant administrative burden. Every time you add or replace a node, you would need to issue a new certificate.
A wildcard SSL/TLS certificate simplifies this process immensely. It is a single certificate that can secure a domain and all of its first-level subdomains. For example, a certificate for *.your-cluster.com will be valid for node1.your-cluster.com, node2.your-cluster.com, and any other node you add under that domain.
The key benefits are:
- Scalability: Easily add new nodes to the cluster without generating new certificates.
- Simplified Management: Renew and manage one certificate instead of dozens.
- Cost-Effectiveness: Purchasing one wildcard certificate is often cheaper than buying many individual ones.
Step 1: Create Your Own Certificate Authority (CA)
For internal cluster communication, creating your own private Certificate Authority is a secure and practical approach. This CA will act as the trusted source for signing your server certificates.
First, generate a private key for your CA:
openssl genrsa -aes256 -out ca.key 4096
You will be prompted to create a passphrase. Store this passphrase securely, as it’s required to sign any certificates.
Next, create the CA’s root certificate using the key. This certificate will be used by your nodes to verify the identity of other nodes.
openssl req -new -x509 -sha256 -days 3650 -key ca.key -out ca.crt
You will be prompted to enter details for the certificate, such as Country, Organization, and Common Name (CN). For the CN, use a descriptive name like “My Elasticsearch Cluster CA”.
Step 2: Generate the Wildcard Server Certificate
Now, you’ll create the wildcard certificate that will be used by every node in your cluster.
Create a private key for your nodes:
openssl genrsa -out wildcard.key 4096Create a Certificate Signing Request (CSR):
When prompted for the Common Name (CN), you must enter the wildcard domain. For example:*.your-cluster-domain.com. This is the most critical step.openssl req -new -key wildcard.key -out wildcard.csrSign the Wildcard Certificate with Your CA:
This command uses your CA key (ca.key) and CA certificate (ca.crt) to sign the CSR, officially creating the wildcard certificate (wildcard.crt). We’ll also include Subject Alternative Names (SANs) for better compatibility.Create a file named
v3.extwith the following content, replacing the DNS entry with your domain:authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = *.your-cluster-domain.comNow, run the signing command:
openssl x509 -req -in wildcard.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out wildcard.crt -days 365 -sha256 -extfile v3.extYou now have
wildcard.crtandwildcard.key, which will be deployed to your nodes.
Step 3: Package the Certificates for Elasticsearch
Elasticsearch requires certificates to be in a specific format, typically a PKCS#12 keystore (.p12 or .pfx). This file bundles the private key and the certificate together.
Run the following command to create the PKCS#12 file. You will be asked to create an export password, which you’ll need for your Elasticsearch configuration.
openssl pkcs12 -export -out wildcard.p12 -inkey wildcard.key -in wildcard.crt -certfile ca.crt
It is crucial to use a strong, unique password for the keystore and store it safely in the Elasticsearch Keystore.
Step 4: Configure Your Elasticsearch Nodes
With your wildcard.p12 keystore and your ca.crt file ready, it’s time to configure Elasticsearch.
Copy the
wildcard.p12andca.crtfiles to the configuration directory on each Elasticsearch node (e.g.,/etc/elasticsearch/certs/).Secure the file permissions to ensure only the
elasticsearchuser can read them:chmod 600 /etc/elasticsearch/certs/*Add the keystore password to the secure Elasticsearch Keystore. This avoids storing the password in plain text in
elasticsearch.yml../bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_passwordUpdate your
elasticsearch.ymlfile on each node with the following configuration to enable TLS for transport (node-to-node) communication:# Enable X-Pack Security features xpack.security.enabled: true # Enable SSL/TLS for the transport layer xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate # Keystore containing the node's private key and wildcard certificate xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/certs/wildcard.p12 # Truststore containing the CA certificate to verify other nodes xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/certs/wildcard.p12Note: For simplicity, we are using the same
.p12file for both the keystore and truststore since it already contains the CA certificate.Restart each Elasticsearch node one by one for the changes to take effect.
Final Security Tips
- Secure Your CA Private Key: The
ca.keyfile is the master key to your cluster’s security. Store it offline and in a highly secure location. Anyone with this key can issue trusted certificates for your cluster. - Automate Certificate Rotation: SSL certificates expire. Plan a process for rotating them before their expiration date to avoid cluster downtime.
- Encrypt Client Communication: Apply the same principles to the HTTP layer (
xpack.security.http.ssl.enabled: true) to ensure that communication from clients like Kibana or your applications is also fully encrypted.
By following these steps, you can build a resilient, scalable, and secure Elasticsearch cluster. Encrypting data-in-transit with wildcard TLS certificates is a fundamental step toward protecting your data and creating a trustworthy infrastructure.
Source: https://kifarunix.com/generate-wildcard-ssl-certificates-for-elasticsearch/
