Version: SG FLX
Community
Search Guard demo certificates
In order to set up a Search Guard PoC quickly, you can simply download and install our demo TLS certificates. The certificates can be used for node to node TLS encryption, REST encryption and for using sgctl. They work on Linux, Mac and Windows.
The certificates are for PoC usage only. Do not install on production.
Download and install
Download the certificates zip file, unpack it and place all files in the following directory:
<ES installation directory>/config
Next, add the Search Guard TLS configuration to elasticsearch.yml
:
copy
searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:
- CN=kirk,OU=client,O=client,L=test,C=de
This will enable TLS encryption on transport and on REST layer.
Using sgctl with the demo certificates
The demo certificates contain an admin TLS certificate which you can use to run sgctl
- kirk.pem - The admin certificate that can be used with sgctl.
- kirk-key.pem - Private key for the admin certificate. This key has no password set.
To execute the sgctl
command with the kirk
admin certificate, execute:
./sgctl.sh update-config --ca-cert root-ca.pem --cert kirk.pem --key kirk-key.pem /path/to/config/
File contents
- root-ca.pem - The root certificate used to sign all other certificates, in PEM format.
- esnode.pem - Node certificate in PEM format. Can be used for inter-node and REST encryption.
- esnode-key.pem - The private key for the node certificate. This key has no password set.
- kirk.pem - The admin certificate that can be used with sgctl.
- kirk-key.pem - Private key for the admin certificate. This key has no password set.
- spock.pem - Regular client certificate, can be used for PKI authentication.
- spock-key.pem - Private key for the client certificate. This key has no password set.
Additional resources