Generating TLS certificates
Search Guard relies heavily on the use of TLS, both for the REST and the transport layer of Elasticsearch. While TLS on the REST layer is optional (but recommended), TLS on the transport layer is mandatory.
By using TLS:
- You can be sure that nobody is spying on the traffic.
- You can be sure that nobody tampered with the traffic.
- Only trusted nodes can join your cluster.
Search Guard also supports OpenSSL for improved performance and modern cipher suites.
The first step after installing Search Guard is to generate the necessary TLS certificates and to configure them on each node in the
elasticsearch.yml configuration file.
Note that each change to this file requires a node restart.
For generating certificates you have the following options:
- Use the Search Guard demo installation script (not safe for production)
- Download the Search Guard demo certificates (not safe for production)
- Use the Online TLS generator service (not safe for production)
- Use the Offline TLS Tool (safe for production)
- Use and customize the example PKI scripts (safe for production)
- Create a CSR and send it to your existing PKI infrastructure, if any (safe for production)
- Using tools like OpenSSL and/or keytool (safe for production)
If you have your own PKI infrastructure and are already familiar with TLS certificates, you can jump directly to TLS certificates for production environments.