Elasticsearch Adding Certificate Passwords to the Elasticsearch Keystore

By Opster Team

Updated: Nov 7, 2023

| 3 min read

Overview

Elasticsearch provides a secure keystore where sensitive settings, such as SSL certificate information, can be securely stored. This article will guide you through the process of adding certificate passwords to the Elasticsearch keystore, ensuring that your Elasticsearch cluster is secure and encrypted.

Steps to add certificate passwords to the Elasticsearch keystore

How to add certificate passwords to the Elasticsearch keystore (details below):

  1. Generate a Certificate

  2. Create a Keystore

  3. Add the Certificate Password to the Keystore

  4. Configure Elasticsearch to Use the Password-Protected Certificate

  5. Restart Elasticsearch

Step 1: Generate a Certificate

Before adding passwords to the Elasticsearch keystore, you need to generate a certificate. You can use the Elasticsearch certutil tool to generate a self-signed certificate. Here’s how to do it:

bin/elasticsearch-certutil cert --name my_certificate --days 365 --self-signed


You will be prompted to enter the certificate name and password. When done, this command will generate a self-signed and password-protected certificate named ‘my_certificate’ that is valid for 365 days. The certificate and private key will be packaged into a single PKCS#12 keystore.

In order to use this certificate to encrypt SSL/TLS communications, you can add the following configuration parameters in your `elasticsearch.yml` configuration file:

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: /path/to/my_certificate.p12
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.keystore.password: <my_certificate_password>

Replace ‘/path/to/my_certificate.p12’ with the actual path to your certificate keystore file, and ‘<my_certificate_password>’ with the password you used when creating the certificate.

As you can see, your certificate password is provided in clear-text in your configuration file, which might not be desirable at all for many reasons. To alleviate this, it is possible to store the certificate password inside a password-protected keystore managed by Elasticsearch. This is what we are going to see in the next section.

Step 2: Create a Keystore

If you haven’t already created a keystore, you can do so using the following command:

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: /path/to/my_certificate.p12
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.keystore.password: <my_certificate_password>

This command will create a new, empty Elasticsearch keystore that is not password-protected and simply obfuscated. If you want to protect your keystore with a password you can add the `-p` command-line switch and you will be prompted to enter a master password when creating the keystore:

bin/elasticsearch-keystore create -p

Step 3: Add the Certificate Password to the Keystore

Now that you have a certificate and a keystore, you can add the certificate password to the keystore. Use the following command to add the certificate password:

bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password

You will first be prompted to enter the master password for the keystore. Then, you will be asked to enter the certificate password to add to the secure keystore.

Step 4: Configure Elasticsearch to Use the Password-Protected Certificate

After adding the certificate password to the keystore, you need to configure Elasticsearch to use your SSL/TLS certificate. Add the following settings to your elasticsearch.yml configuration file:

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.path: /path/to/my_certificate.p12
xpack.security.transport.ssl.keystore.type: PKCS12

Replace ‘/path/to/my_certificate.p12’ with the actual path to your certificate file, and as you can see there is no more `xpack.security.transport.ssl.keystore.password` configuration setting. In such cases, Elasticsearch will automatically resolve the certificate password from the `xpack.security.transport.ssl.keystore.secure_password` setting inside the keystore. 

Step 5: Restart Elasticsearch

After configuring Elasticsearch to use the keystore, you need to restart Elasticsearch for the changes to take effect. Use the following command to restart Elasticsearch:

bash
systemctl restart elasticsearch

After restarting Elasticsearch, it will use the certificate password stored in the keystore for SSL/TLS.

Troubleshooting

If you encounter any issues while adding a certificate password to the Elasticsearch keystore, check the Elasticsearch logs for any error messages. The logs can provide valuable information about what went wrong.

Conclusion

In conclusion, adding a certificate password to the Elasticsearch keystore is a crucial step in securing your Elasticsearch cluster. By following the steps outlined in this article, you can ensure that your Elasticsearch cluster is secure and encrypted. 

Related Articles

Back to all articles