Version: SG FLX
Community

Search Guard demo certificates

In order to set up a Search Guard PoC quickly, you can simply download and install our demo TLS certificates. The certificates can be used for node to node TLS encryption, REST encryption and for using sgctl. They work on Linux, Mac and Windows.

The certificates are for PoC usage only. Do not install on production.

Download and install

Download the certificates zip file, unpack it and place all files in the following directory:

<ES installation directory>/config

Next, add the Search Guard TLS configuration to elasticsearch.yml:

copy

searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:
  - CN=kirk,OU=client,O=client,L=test,C=de

This will enable TLS encryption on transport and on REST layer.

Using sgctl with the demo certificates

The demo certificates contain an admin TLS certificate which you can use to run sgctl

  • kirk.pem - The admin certificate that can be used with sgctl.
  • kirk-key.pem - Private key for the admin certificate. This key has no password set.

To execute the sgctl command with the kirk admin certificate, execute:

./sgctl.sh update-config --ca-cert root-ca.pem --cert kirk.pem --key kirk-key.pem /path/to/config/

File contents

  • root-ca.pem - The root certificate used to sign all other certificates, in PEM format.
  • esnode.pem - Node certificate in PEM format. Can be used for inter-node and REST encryption.
  • esnode-key.pem - The private key for the node certificate. This key has no password set.
  • kirk.pem - The admin certificate that can be used with sgctl.
  • kirk-key.pem - Private key for the admin certificate. This key has no password set.
  • spock.pem - Regular client certificate, can be used for PKI authentication.
  • spock-key.pem - Private key for the client certificate. This key has no password set.


Not what you were looking for? Try the search.