Version: 6.x-22

Generating TLS certificates

Search Guard relies heavily on the use of TLS, both for the REST and the transport layer of Elasticsearch. While TLS on the REST layer is optional (but recommended), TLS on the transport layer is mandatory.

By using TLS:

  • You can be sure that nobody is spying on the traffic.
  • You can be sure that nobody tampered with the traffic.
  • Only trusted nodes can join your cluster.

Search Guard also supports OpenSSL for improved performance and modern cipher suites.

The first step after installing Search Guard is to generate the necessary TLS certificates and to configure them on each node in the elasticsearch.yml configuration file.

Note that each change to this file requires a node restart.

For generating certificates you have the following options:

If you have your own PKI infrastructure and are already familiar with TLS certificates, you can jump directly to TLS certificates for production environments.