Version: 6.x-23
Community

Search Guard demo certificates

In order to set up a Search Guard PoC quickly, you can simply download and install our demo TLS certificates. The certificates can be used for node to node TLS encryption, REST encryption and for using sgadmin. They work on Linux, Mac and Windows.

The certificates are for PoC usage only. Do not install on production.

Download and install

Download the certificates zip file, unpack it and place all files in the following directory:

<ES installation directory>/config

Next, add the Search Guard TLS configuration to elasticsearch.yml:

copy

searchguard.ssl.transport.pemcert_filepath: esnode.pem
searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: esnode.pem
searchguard.ssl.http.pemkey_filepath: esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:
  - CN=kirk,OU=client,O=client,L=test,C=de

This will enable TLS encryption on transport and on REST layer.

Using sgadmin with the demo certificates

The demo certificates contain an admin TLS certificate which you can use to run sgadmin:

  • kirk.pem - The admin certificate that can be used with sgadmin.
  • kirk-key.pem - Private key for the admin certificate. This key has no password set.

To execute sgadmin with the kirk admin certificate, switch to the following directory:

<ES installation directory>/plugins/search-guard-<version>/tools/

And execute:

./sgadmin.sh -cd ../sgconfig -key ../../../config/kirk-key.pem -cert ../../../config/kirk.pem -cacert ../../../config/root-ca.pem -nhnv -icl

This will update the Search Guard configuration with the contents of the files located in:

<ES installation directory>/plugins/search-guard-<version>/config/

If everything is updated correctly, you will see the following output:

Will update 'sg/config' with ../sgconfig/sg_config.yml 
   SUCC: Configuration for 'config' created or updated
Will update 'sg/roles' with ../sgconfig/sg_roles.yml 
   SUCC: Configuration for 'roles' created or updated
Will update 'sg/rolesmapping' with ../sgconfig/sg_roles_mapping.yml 
   SUCC: Configuration for 'rolesmapping' created or updated
Will update 'sg/internalusers' with ../sgconfig/sg_internal_users.yml 
   SUCC: Configuration for 'internalusers' created or updated
Will update 'sg/actiongroups' with ../sgconfig/sg_action_groups.yml 
   SUCC: Configuration for 'actiongroups' created or updated
Done with success

File contents

  • root-ca.pem - The root certificate used to sign all other certificates, in PEM format.
  • esnode.pem - Node certificate in PEM format. Can be used for inter-node and REST encryption.
  • esnode-key.pem - The private key for the node certificate. This key has no password set.
  • kirk.pem - The admin certificate that can be used with sgadmin.
  • kirk-key.pem - Private key for the admin certificate. This key has no password set.
  • spock.pem - Regular client certificate, can be used for PKI authentication.
  • spock-key.pem - Private key for the client certificate. This key has no password set.

Not what you were looking for? Try the search.