Version: 6.x-21
This is an older version of Search Guard. Switch to Latest version
Community

Online TLS certificate generator

We provide an online TLS service which you can use to generate all required certificates for running Search Guard:

https://search-guard.com/tls-certificate-generator/

You need to provide your email address and organisation name, and can specify up to 10 hostnames. The certificates, key and truststore files are generated in the background and we will send you a download link once the certificates have been created.

Your email is necessary to send you the download link, while the organisation name will become part of the generated root CA. Use only letters, digits, hyphens and dots for the hostname.

Contents

After downloading and unpacking the certificate archive, you will see the following file structure:

File hierarchy
  • Expand all
  • Collapse all
  • node-certificates - Node certificates for all hostnames
    • CN=[hostname]-keystore.jks - Keystore containing the node certificate for [hostname]
    • CN=[hostname]-keystore.p12 - PKCS#12 containing the node certificate for [hostname]
    • CN=[hostname]-signed.pem - PEM certificate for [hostname], without root or intermediate CA
    • CN=[hostname].crtfull.pem - Full certificate chain for [hostname], with root and intermediate CA
    • CN=[hostname].key.pem - Private key for [hostname]
  • client-certificates - Client- and admin certificates
    • CN=sgadmin-keystore.jks Keystore containing the admin certificate. Can be used with sgadmin.
    • CN=sgadmin-keystore.p12 PKCS#12 containing the admin certificate. Can be used with sgadmin.
    • CN=sgadmin-signed.pem PEM admin certificate
    • CN=sgadmin.crtfull.pem PEM admin certificate including the root and intermediate CA. Can be used with sgadmin.
    • CN=sgadmin.key.pem Private key for the admin certificate. Can be used with sgadmin.
    • CN=sgadmin.csr The CSR used to create the admin certificate
    • CN=demouser-keystore.jks Keystore containing a client certificate. Can be used for TLS client authentication or for Transport Clients.
    • CN=demouser-keystore.p12 PKCS#12 containing a client certificate. Can be used for TLS client authentication or for Transport Clients.
    • CN=demouser-signed.pem PEM client certificate
    • CN=demouser.crtfull.pem PEM client certificate including the root and intermediate CA. Can be used for TLS client authentication or for Transport Clients.
    • CN=demouser.key.pem Private key for the client certificate. Can be used for TLS client authentication or for Transport Clients.
    • CN=demouser.csr The CSR used to create the client certificate
  • root-ca - The root CA used for creating the signing certificates
    • root-ca.crt - Root CA in CRT format
    • root-ca.pem - Root CA in PEM format
    • root-ca.key - Private key of the root CA
  • signing-ca - The signing CA used for creating and signing the node certificates
    • signing-ca.crt - Signing CA in CRT format
    • signing-ca.pem - Signing CA in PEM format
    • root-ca.key - Private key of the signing CA
  • truststore.jks - Truststore containing the root CA
  • truststore.p12 - PKCS#12 containing the root CA
  • root-ca.pem - PEM containing the root certificate
  • chain-ca.pem - PEM containing the root and the intermediate certificate
  • README.txt - Installation instructions. You can find all auto-generated passwords here.