Search Guard demo certificates
In order to set up a Search Guard PoC quickly, you can simply download and install our demo TLS certificates. The certificates can be used for node to node TLS encryption, REST encryption and for using sgadmin. They work on Linux, Mac and Windows.
The certificates are for PoC usage only. Do not install on production.
Download and install
Download the certificates zip file, unpack it and place all files in the following directory:
<ES installation directory>/config
Next, add the Search Guard TLS configuration to elasticsearch.yml
:
searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:
- CN=kirk,OU=client,O=client,L=test,C=de
This will enable TLS encryption on transport and on REST layer.
Using sgadmin with the demo certificates
The demo certificates contain an admin TLS certificate which you can use to run sgadmin:
- kirk.pem - The admin certificate that can be used with sgadmin.
- kirk-key.pem - Private key for the admin certificate. This key has no password set.
To execute sgadmin with the kirk
admin certificate, switch to the following directory:
<ES installation directory>/plugins/search-guard-<version>/tools/
And execute:
./sgadmin.sh -cd ../sgconfig -key ../../../config/kirk-key.pem -cert ../../../config/kirk.pem -cacert ../../../config/root-ca.pem -nhnv -icl
This will update the Search Guard configuration with the contents of the files located in:
<ES installation directory>/plugins/search-guard-<version>/config/
If everything is updated correctly, you will see the following output:
Will update 'sg/config' with ../sgconfig/sg_config.yml
SUCC: Configuration for 'config' created or updated
Will update 'sg/roles' with ../sgconfig/sg_roles.yml
SUCC: Configuration for 'roles' created or updated
Will update 'sg/rolesmapping' with ../sgconfig/sg_roles_mapping.yml
SUCC: Configuration for 'rolesmapping' created or updated
Will update 'sg/internalusers' with ../sgconfig/sg_internal_users.yml
SUCC: Configuration for 'internalusers' created or updated
Will update 'sg/actiongroups' with ../sgconfig/sg_action_groups.yml
SUCC: Configuration for 'actiongroups' created or updated
Done with success
File contents
- root-ca.pem - The root certificate used to sign all other certificates, in PEM format.
- esnode.pem - Node certificate in PEM format. Can be used for inter-node and REST encryption.
- esnode-key.pem - The private key for the node certificate. This key has no password set.
- kirk.pem - The admin certificate that can be used with sgadmin.
- kirk-key.pem - Private key for the admin certificate. This key has no password set.
- spock.pem - Regular client certificate, can be used for PKI authentication.
- spock-key.pem - Private key for the client certificate. This key has no password set.
Additional resources