Generating the required HTTP certificates

Use the Elasticsearch HTTP certificate tool elasticsearch-certutil to generate a dedicated HTTP certificate authority (CA) and a self-signed certificate for Elasticsearch and Kibana.

  1. Open a new Administrator command-line shell (Command shell or PowerShell) and navigate to your Elasticsearch install folder.
  2. Run the Elasticsearch HTTP certificate tool: 
    .\bin\elasticsearch-certutil.bat http
    1. When asked if you want to generate a Certificate Signing Request (CSR), enter n.
    2. When asked if you want to use an existing CA, enter n.
    3. Enter a password for the new CA.
      Make a note of the CA password, as you will need it later when you add the CA to the MI application server machine(s) where Filebeat will be running.
    4. Enter an expiration value for your certificate. You can enter the validity period in years, months, or days. For example, enter 90D for 90 days.
    5. When asked if you want to generate one certificate per node, enter n.
    6. Enter the hostname used to connect to Elasticsearch over HTTPS. List every variant. Include entries for the machine name and FQDN of every node in the cluster. These will be added as DNS names in the Subject Alternative Name (SAN) field in your certificate. For example: 
      myhostname
myhostname.mydomain.tld
localhost

      Enter one per line, pressing Enter after each to start a new line. Press Enter twice to finish.

    7. You do not need to add IP addresses, so you can click through this option.
  3. Enter a password for your certificate private key when prompted.
  4. Unzip the generated elasticsearch-ssl-http.zip file. This compressed file contains Elasticsearch and Kibana folders.
  5. Copy these two files to the Elasticsearch config\certs\ folder.
    • ca\ca.p12 - file containing the Elasticsearch HTTP CA (certificate authority)
    • elasticsearch\http.p12- keystore file containing the certificate and private key for HTTP encryption

    When asked if you want to overwrite the existing http.p12 keystore in config\certs\, enter y.

    (You can delete the default http_ca.crt CA certificate file from the \config\certs\ folder, as it is not needed.)

  6. Add the HTTP certificate private key password to the Elasticsearch keystore using this command, entering the private key password when prompted: 
    .\bin\elasticsearch-keystore.bat add "xpack.security.http.ssl.keystore.secure_password"
    Answer y when asked if you wish to overwrite the existing setting.