Elasticsearch:如何创建 Elasticsearch PEM 和/或 P12 证书?

news2024/12/23 16:44:22

你是否希望使用 SSL/TLS 证书来保护你的 Elasticsearch 部署? 在本文中,我们将指导你完成为 Elasticsearch 创建 PEM 和 P12 证书的过程。 这些证书在建立安全连接和确保 Elasticsearch 集群的完整性方面发挥着至关重要的作用。

友情提示:你可以选择其中一种方法来在你的环境中创建和使用证书。

方法一:创建 P12 证书

如果你还没有安装好自己的 Elasticsearch 的话,请参考之前的文章 “如何在 Linux,MacOS 及 Windows 上进行安装 Elasticsearch”。在安装完 Elasticsearch 后,我们进行如下的步骤:

创建 CA 证书

./bin/elasticsearch-certutil ca
$ pwd
/Users/liuxg/elastic/elasticsearch-8.9.0
$ ./bin/elasticsearch-certutil ca
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.

Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority

By default the 'ca' mode produces a single PKCS#12 output file which holds:
    * The CA certificate
    * The CA's private key

If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key

Please enter the desired output file [elastic-stack-ca.p12]: 
Enter password for elastic-stack-ca.p12 : 
$ ls
LICENSE.txt          bin                  elastic-stack-ca.p12 logs
NOTICE.txt           config               jdk.app              modules
README.asciidoc      data                 lib                  plugins

从上面的的输出中,我们可以看到多了一个叫做 elastic-stack-ca.p12 的文件。生成的过程中,我们可以使用自己喜欢的 password 来加密这个证书。

默认情况下,“ca” 模式生成一个 PKCS#12 输出文件,其中包含:

  • CA 证书
  • CA 的私钥

我们可以通过如下的命令来进行检查:

$ keytool -keystore elastic-stack-ca.p12 -list
Enter keystore password:  
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

ca, Aug 8, 2023, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): 8C:32:23:AB:22:8A:51:96:D8:6D:8C:A1:32:E8:E5:DC:A1:97:A4:59:F3:55:18:EC:A1:E0:EB:96:74:61:D5:81

 当然,我们也可以使用如下的工具来查看:

openssl pkcs12 -info -nodes -in elastic-stack-ca.p12
$ openssl pkcs12 -info -nodes -in elastic-stack-ca.p12
Enter Import Password:
MAC: sha256, Iteration 10000
MAC length: 32, salt length: 20
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
Bag Attributes
    friendlyName: ca
    localKeyID: 54 69 6D 65 20 31 36 39 31 34 36 36 33 36 31 33 35 34 
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDYmz7UmFR83SNN
9SoCPoV9PU5DbTYPDVCFWXNoshsntgkrrhtOqP5a7vAXGT3uVvvN6kEQSVz5jtV5
nZtuTI/xbMDyM76JwZwfD8ncwiuNnfeqGGkHAFMDDSuj2b+dgmiUgadcX1LM1mtj
D8r7ayWJLzVoqZGW5OohUtSE5nbirRHWYg0z7pAFE9eVKXGonJwdr2ps5KIaQeAw
4XwRxsOrfNnI6qOia9LPSuoYhiHHvFGQLg/SApDga3DWWcCvC1Y7G6ThkSmBHJN5
343j9WTyG1zfeKbxX5Y6Kc95CIe5ddafP9YziNBLYfOW3vyRtykw8KCYy6Tv+X6B
7TGcEcgfAgMBAAECggEAB1/U4vmcrSbKNBxyP0lQBu3pyc0TpHq+w9hCLM2DgMKa
mIYahkvY/QRaRpVxalMQl5FJTcik0n1uZYmPTreeK7xluHLSiQlL/pkgm9Q9SPQy
Oyd0y+w5Ta1KtkIl9LLWSws7xQVQLr3nqHCGzjB23EjJkYEHl9+LQqWTRQ/Wx4WU
2q9+SY5Er5nc3XPlzZYif2j61Yl1w97sjFibgVola6Ad0dJ4ALF8EGy9WChQ66NJ
ajoRaN2LMImQZHF2Zt1tM/MwI3czC+3O7tPZOlNZ0UKGeYEUQ/snsvjNhKq4MrwC
tOdFF+opQ2lP6jOrA/b83V9tHQehhj80MxWbGrk2QQKBgQDs33DrNGw4ZspDRi70
5HGoofebZ6uUzffAMRgRp0HTJYnVABLw7FmAwT0LUJdfj0MN8K1FUdKMMxCVRg90
cMDO061gzzfOIpDcAhbzilNXC1DXsE710rk8QMZ7iFY0E9D5CfsOBAljDdKgRzzT
+2hOJ/efbA0s99UKPeDyZ64d2QKBgQDqGN0x2VpXIOLn0srAJx+mwPyrHhBgrGfR
DWwsyMfnJBv5dKOJOhPLRdyPX0k7HLrFyj6Pmki0B/TF8kq0qW3Epy3pWti/VgDJ
YrhZkqjUjhVb4C7/BNTs3kCqyaiucXvaofvymAoTqEpglZ/oYHkqwit6jz18teD7
2ep+IlzCtwKBgQC/MPMRxfR76evkNSf9ns5m0KTtGNaTe1Q4GuhUh25IIYqJFFA1
inALzu2YzmoARcBX5iXVR9/sLeN6uVwMHl5iEtVkyJ1AkwHdswoXdVUjcwzDq5lw
LbA6BAaw+zCpRD1uZjHv9C4nd6bEm/trFwfv3a6vTSWtYDTi2WNSBYGysQKBgQDT
fXMYvgzn+kYEumOCBdaKiH+8+IRDUn7YVxALxbkUEYNUcxPrvhRz6MHCpYs7ZFE4
r+alRfW48BcrXiIv5YHN0FuiHvkCo2hCiHWUNvNgVJznTDopGuxissgpg9ZpAw2q
D/3WxZUU/U10xLia782H27P8HbynFooT/mPjYJf9MQKBgQCqm5fYBhZxTQ5FAZe4
gTdiShx81Nr8cUbTBpVGfK/ADCc+G+67fAK7EYgg2LxcKpHkuy/NNUkcnFYKjvAX
FhLkSA8N/fXsLYi3JgbvFoaKAsb003TcV7/rPM+0Oqcrxy4feJM/2QeYIqpPVtlV
kjUYJSAaHIGiK6OlbBuBWIRzzA==
-----END PRIVATE KEY-----
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
Certificate bag
Bag Attributes
    friendlyName: ca
    localKeyID: 54 69 6D 65 20 31 36 39 31 34 36 36 33 36 31 33 35 34 
subject=CN = Elastic Certificate Tool Autogenerated CA
issuer=CN = Elastic Certificate Tool Autogenerated CA
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIVALXN3Mz3+RI7lj3cGczFF2T3X3l3MA0GCSqGSIb3DQEB
CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu
ZXJhdGVkIENBMB4XDTIzMDgwODAzNDUyOVoXDTI2MDgwNzAzNDUyOVowNDEyMDAG
A1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5lcmF0ZWQgQ0Ew
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYmz7UmFR83SNN9SoCPoV9
PU5DbTYPDVCFWXNoshsntgkrrhtOqP5a7vAXGT3uVvvN6kEQSVz5jtV5nZtuTI/x
bMDyM76JwZwfD8ncwiuNnfeqGGkHAFMDDSuj2b+dgmiUgadcX1LM1mtjD8r7ayWJ
LzVoqZGW5OohUtSE5nbirRHWYg0z7pAFE9eVKXGonJwdr2ps5KIaQeAw4XwRxsOr
fNnI6qOia9LPSuoYhiHHvFGQLg/SApDga3DWWcCvC1Y7G6ThkSmBHJN5343j9WTy
G1zfeKbxX5Y6Kc95CIe5ddafP9YziNBLYfOW3vyRtykw8KCYy6Tv+X6B7TGcEcgf
AgMBAAGjUzBRMB0GA1UdDgQWBBRbBxCWijjKV9vJ0sHNxTyXASgguDAfBgNVHSME
GDAWgBRbBxCWijjKV9vJ0sHNxTyXASgguDAPBgNVHRMBAf8EBTADAQH/MA0GCSqG
SIb3DQEBCwUAA4IBAQDLSMpvzOOIjgon3Z+16q9wO9RgwK5AogJjtiYdPcUWSQVU
JWOdJSDEJCGD+N2pse1F46/nfWY1sJRS1/iM5CxKIiYna4HULOzCYhxsk4WK5kZx
wZ5TNx9WW/+rBYiltjwR48DpVQbEAUCtR47LxW/KSqqr2THRXG2Ni/6jFns498nV
IrGOUVLPW7bEpMTWUMmnCxIjgpqY7wO+7ePgu1/zSLghxMQlTgMw4sSskiGDeboz
SKxh27ttk9sStyvDhEUW+eir+peUdY/xoezVViAM7T5UtlT1iQzhZ1JCWbJtQhfV
8Y8wBF2UUo+ZF4SkQ2Pkwodhz4BbHCw9dH1Q+AnW
-----END CERTIFICATE-----

我们可以通过如下的命令来查看该证书的有效期:

openssl pkcs12 -in elastic-stack-ca.p12 -nodes -nokeys -clcerts | openssl x509 -enddate -noout
$ openssl pkcs12 -in elastic-stack-ca.p12 -nodes -nokeys -clcerts | openssl x509 -enddate -noout
Enter Import Password:
notAfter=Aug  7 03:45:29 2026 GMT

创建证书

我们使用如下的命令:

./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
$ ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'cert' mode generates X.509 certificate and private keys.
    * By default, this generates a single certificate and key for use
       on a single instance.
    * The '-multiple' option will prompt you to enter details for multiple
       instances and will generate a certificate and key for each one
    * The '-in' option allows for the certificate generation to be automated by describing
       the details of each instance in a YAML file

    * An instance is any piece of the Elastic Stack that requires an SSL certificate.
      Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
      may all require a certificate and private key.
    * The minimum required value for each instance is a name. This can simply be the
      hostname, which will be used as the Common Name of the certificate. A full
      distinguished name may also be used.
    * A filename value may be required for each instance. This is necessary when the
      name would result in an invalid file or directory name. The name provided here
      is used as the directory name (within the zip) and the prefix for the key and
      certificate files. The filename is required if you are prompted and the name
      is not displayed in the prompt.
    * IP addresses and DNS names are optional. Multiple values can be specified as a
      comma separated string. If no IP addresses or DNS names are provided, you may
      disable hostname verification in your SSL configuration.


    * All certificates generated by this tool will be signed by a certificate authority (CA)
      unless the --self-signed command line option is specified.
      The tool can automatically generate a new CA for you, or you can provide your own with
      the --ca or --ca-cert command line options.


By default the 'cert' mode produces a single PKCS#12 output file which holds:
    * The instance certificate
    * The private key for the instance certificate
    * The CA certificate

If you specify any of the following options:
    * -pem (PEM formatted output)
    * -multiple (generate multiple certificates)
    * -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key files

Enter password for CA (elastic-stack-ca.p12) : 
Please enter the desired output file [elastic-certificates.p12]: 
Enter password for elastic-certificates.p12 : 

Certificates written to /Users/liuxg/elastic/elasticsearch-8.9.0/elastic-certificates.p12

This file should be properly secured as it contains the private key for 
your instance.
This file is a self contained file and can be copied and used 'as is'
For each Elastic product that you wish to configure, you should copy
this '.p12' file to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.

For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.
$ ls
LICENSE.txt              data                     logs
NOTICE.txt               elastic-certificates.p12 modules
README.asciidoc          elastic-stack-ca.p12     plugins
bin                      jdk.app
config                   lib

在运行上面的命令时,我们需要输入在上一步定义的 password。在输出中,我们可以看到一个新生成的 elastic-certificates.p12 文件。默认情况下,“cert” 模式生成一个 PKCS#12 输出文件,其中包含:

  • 实例证书
  • 实例证书的私钥
  • CA 证书

我们可以通过如下的工具来进行检查:

$ keytool -keystore elastic-certificates.p12 -list
Enter keystore password:  
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 2 entries

ca, Aug 8, 2023, trustedCertEntry, 
Certificate fingerprint (SHA-256): 8C:32:23:AB:22:8A:51:96:D8:6D:8C:A1:32:E8:E5:DC:A1:97:A4:59:F3:55:18:EC:A1:E0:EB:96:74:61:D5:81
instance, Aug 8, 2023, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): 98:45:D7:F2:B2:AC:0B:A0:2C:EF:14:FB:70:54:1B:00:24:02:CB:D5:48:57:2C:8A:47:92:F9:F3:0A:0E:1D:78

当然,我们也可以使用如下的工具来查看:

openssl pkcs12 -info -nodes -in elastic-stack-ca.p12
$ openssl pkcs12 -info -nodes -in elastic-stack-ca.p12
Enter Import Password:
MAC: sha256, Iteration 10000
MAC length: 32, salt length: 20
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
Bag Attributes
    friendlyName: ca
    localKeyID: 54 69 6D 65 20 31 36 39 31 34 36 36 33 36 31 33 35 34 
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDYmz7UmFR83SNN
9SoCPoV9PU5DbTYPDVCFWXNoshsntgkrrhtOqP5a7vAXGT3uVvvN6kEQSVz5jtV5
nZtuTI/xbMDyM76JwZwfD8ncwiuNnfeqGGkHAFMDDSuj2b+dgmiUgadcX1LM1mtj
D8r7ayWJLzVoqZGW5OohUtSE5nbirRHWYg0z7pAFE9eVKXGonJwdr2ps5KIaQeAw
4XwRxsOrfNnI6qOia9LPSuoYhiHHvFGQLg/SApDga3DWWcCvC1Y7G6ThkSmBHJN5
343j9WTyG1zfeKbxX5Y6Kc95CIe5ddafP9YziNBLYfOW3vyRtykw8KCYy6Tv+X6B
7TGcEcgfAgMBAAECggEAB1/U4vmcrSbKNBxyP0lQBu3pyc0TpHq+w9hCLM2DgMKa
mIYahkvY/QRaRpVxalMQl5FJTcik0n1uZYmPTreeK7xluHLSiQlL/pkgm9Q9SPQy
Oyd0y+w5Ta1KtkIl9LLWSws7xQVQLr3nqHCGzjB23EjJkYEHl9+LQqWTRQ/Wx4WU
2q9+SY5Er5nc3XPlzZYif2j61Yl1w97sjFibgVola6Ad0dJ4ALF8EGy9WChQ66NJ
ajoRaN2LMImQZHF2Zt1tM/MwI3czC+3O7tPZOlNZ0UKGeYEUQ/snsvjNhKq4MrwC
tOdFF+opQ2lP6jOrA/b83V9tHQehhj80MxWbGrk2QQKBgQDs33DrNGw4ZspDRi70
5HGoofebZ6uUzffAMRgRp0HTJYnVABLw7FmAwT0LUJdfj0MN8K1FUdKMMxCVRg90
cMDO061gzzfOIpDcAhbzilNXC1DXsE710rk8QMZ7iFY0E9D5CfsOBAljDdKgRzzT
+2hOJ/efbA0s99UKPeDyZ64d2QKBgQDqGN0x2VpXIOLn0srAJx+mwPyrHhBgrGfR
DWwsyMfnJBv5dKOJOhPLRdyPX0k7HLrFyj6Pmki0B/TF8kq0qW3Epy3pWti/VgDJ
YrhZkqjUjhVb4C7/BNTs3kCqyaiucXvaofvymAoTqEpglZ/oYHkqwit6jz18teD7
2ep+IlzCtwKBgQC/MPMRxfR76evkNSf9ns5m0KTtGNaTe1Q4GuhUh25IIYqJFFA1
inALzu2YzmoARcBX5iXVR9/sLeN6uVwMHl5iEtVkyJ1AkwHdswoXdVUjcwzDq5lw
LbA6BAaw+zCpRD1uZjHv9C4nd6bEm/trFwfv3a6vTSWtYDTi2WNSBYGysQKBgQDT
fXMYvgzn+kYEumOCBdaKiH+8+IRDUn7YVxALxbkUEYNUcxPrvhRz6MHCpYs7ZFE4
r+alRfW48BcrXiIv5YHN0FuiHvkCo2hCiHWUNvNgVJznTDopGuxissgpg9ZpAw2q
D/3WxZUU/U10xLia782H27P8HbynFooT/mPjYJf9MQKBgQCqm5fYBhZxTQ5FAZe4
gTdiShx81Nr8cUbTBpVGfK/ADCc+G+67fAK7EYgg2LxcKpHkuy/NNUkcnFYKjvAX
FhLkSA8N/fXsLYi3JgbvFoaKAsb003TcV7/rPM+0Oqcrxy4feJM/2QeYIqpPVtlV
kjUYJSAaHIGiK6OlbBuBWIRzzA==
-----END PRIVATE KEY-----
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
Certificate bag
Bag Attributes
    friendlyName: ca
    localKeyID: 54 69 6D 65 20 31 36 39 31 34 36 36 33 36 31 33 35 34 
subject=CN = Elastic Certificate Tool Autogenerated CA
issuer=CN = Elastic Certificate Tool Autogenerated CA
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIVALXN3Mz3+RI7lj3cGczFF2T3X3l3MA0GCSqGSIb3DQEB
CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu
ZXJhdGVkIENBMB4XDTIzMDgwODAzNDUyOVoXDTI2MDgwNzAzNDUyOVowNDEyMDAG
A1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5lcmF0ZWQgQ0Ew
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYmz7UmFR83SNN9SoCPoV9
PU5DbTYPDVCFWXNoshsntgkrrhtOqP5a7vAXGT3uVvvN6kEQSVz5jtV5nZtuTI/x
bMDyM76JwZwfD8ncwiuNnfeqGGkHAFMDDSuj2b+dgmiUgadcX1LM1mtjD8r7ayWJ
LzVoqZGW5OohUtSE5nbirRHWYg0z7pAFE9eVKXGonJwdr2ps5KIaQeAw4XwRxsOr
fNnI6qOia9LPSuoYhiHHvFGQLg/SApDga3DWWcCvC1Y7G6ThkSmBHJN5343j9WTy
G1zfeKbxX5Y6Kc95CIe5ddafP9YziNBLYfOW3vyRtykw8KCYy6Tv+X6B7TGcEcgf
AgMBAAGjUzBRMB0GA1UdDgQWBBRbBxCWijjKV9vJ0sHNxTyXASgguDAfBgNVHSME
GDAWgBRbBxCWijjKV9vJ0sHNxTyXASgguDAPBgNVHRMBAf8EBTADAQH/MA0GCSqG
SIb3DQEBCwUAA4IBAQDLSMpvzOOIjgon3Z+16q9wO9RgwK5AogJjtiYdPcUWSQVU
JWOdJSDEJCGD+N2pse1F46/nfWY1sJRS1/iM5CxKIiYna4HULOzCYhxsk4WK5kZx
wZ5TNx9WW/+rBYiltjwR48DpVQbEAUCtR47LxW/KSqqr2THRXG2Ni/6jFns498nV
IrGOUVLPW7bEpMTWUMmnCxIjgpqY7wO+7ePgu1/zSLghxMQlTgMw4sSskiGDeboz
SKxh27ttk9sStyvDhEUW+eir+peUdY/xoezVViAM7T5UtlT1iQzhZ1JCWbJtQhfV
8Y8wBF2UUo+ZF4SkQ2Pkwodhz4BbHCw9dH1Q+AnW
-----END CERTIFICATE-----
openssl pkcs12 -in elastic-certificates.p12 -nodes -nokeys -clcerts | openssl x509 -enddate -noout
$ openssl pkcs12 -in elastic-certificates.p12 -nodes -nokeys -clcerts | openssl x509 -enddate -noout
Enter Import Password:
notAfter=Aug  7 03:52:51 2026 GMT

我们可以使用如上的证书来配置 Elasticsearch:

#elasticsearch.yml example

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.transport.http.enabled: true
xpack.security.transport.http.verification_mode: certificate
xpack.security.transport.http.client_authentication: required
xpack.security.transport.http.keystore.path: elastic-certificates.p12
xpack.security.transport.http.truststore.path: elastic-certificates.p12

更多参考 “Elasticsearch:使用不同的 CA 更新安全证书 (一)(二)”

方法二:创建 pem 和 key 证书

生成 CA 证书

我们使用如下的命令来进行:

./bin/elasticsearch-certutil ca --pem
$ pwd
/Users/liuxg/elastic/elasticsearch-8.9.0
$ ./bin/elasticsearch-certutil ca --pem
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.

Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority

By default the 'ca' mode produces a single PKCS#12 output file which holds:
    * The CA certificate
    * The CA's private key

If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key

Please enter the desired output file [elastic-stack-ca.zip]: 
$ ls
LICENSE.txt          bin                  elastic-stack-ca.zip logs
NOTICE.txt           config               jdk.app              modules
README.asciidoc      data                 lib                  plugins

从上面的输出中,我们可以看到一个叫做 elastic-stack-ca.zip 的文件被生成了。我们可以通过如下的命令来进行解压缩:

unzip elastic-stack-ca.zip 
$ unzip elastic-stack-ca.zip 
Archive:  elastic-stack-ca.zip
   creating: ca/
  inflating: ca/ca.crt               
  inflating: ca/ca.key               
$ tree ./ca -L 2
./ca
├── ca.crt
└── ca.key

生成证书

我们使用如下的命令来进行操作:

./bin/elasticsearch-certutil cert -ca-cert ca/ca.crt -ca-key ca/ca.key --pem
$ pwd
/Users/liuxg/elastic/elasticsearch-8.9.0
$ ls
LICENSE.txt          ca                   jdk.app              plugins
NOTICE.txt           config               lib
README.asciidoc      data                 logs
bin                  elastic-stack-ca.zip modules
$ ./bin/elasticsearch-certutil cert -ca-cert ca/ca.crt -ca-key ca/ca.key --pem
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'cert' mode generates X.509 certificate and private keys.
    * By default, this generates a single certificate and key for use
       on a single instance.
    * The '-multiple' option will prompt you to enter details for multiple
       instances and will generate a certificate and key for each one
    * The '-in' option allows for the certificate generation to be automated by describing
       the details of each instance in a YAML file

    * An instance is any piece of the Elastic Stack that requires an SSL certificate.
      Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
      may all require a certificate and private key.
    * The minimum required value for each instance is a name. This can simply be the
      hostname, which will be used as the Common Name of the certificate. A full
      distinguished name may also be used.
    * A filename value may be required for each instance. This is necessary when the
      name would result in an invalid file or directory name. The name provided here
      is used as the directory name (within the zip) and the prefix for the key and
      certificate files. The filename is required if you are prompted and the name
      is not displayed in the prompt.
    * IP addresses and DNS names are optional. Multiple values can be specified as a
      comma separated string. If no IP addresses or DNS names are provided, you may
      disable hostname verification in your SSL configuration.


    * All certificates generated by this tool will be signed by a certificate authority (CA)
      unless the --self-signed command line option is specified.
      The tool can automatically generate a new CA for you, or you can provide your own with
      the --ca or --ca-cert command line options.


By default the 'cert' mode produces a single PKCS#12 output file which holds:
    * The instance certificate
    * The private key for the instance certificate
    * The CA certificate

If you specify any of the following options:
    * -pem (PEM formatted output)
    * -multiple (generate multiple certificates)
    * -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key files

Please enter the desired output file [certificate-bundle.zip]: 

Certificates written to /Users/liuxg/elastic/elasticsearch-8.9.0/certificate-bundle.zip

This file should be properly secured as it contains the private key for 
your instance.
After unzipping the file, there will be a directory for each instance.
Each instance has a certificate and private key.
For each Elastic product that you wish to configure, you should copy
the certificate, key, and CA certificate to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.

For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.
$ ls
LICENSE.txt            ca                     elastic-stack-ca.zip   modules
NOTICE.txt             certificate-bundle.zip jdk.app                plugins
README.asciidoc        config                 lib
bin                    data                   logs

我们发现一个新生成的 elastic-stack-ca.zip 文件。我们可以通过解压缩的方法来查看里面的文件:

unzip certificate-bundle.zip 
$ unzip certificate-bundle.zip 
Archive:  certificate-bundle.zip
   creating: instance/
  inflating: instance/instance.crt   
  inflating: instance/instance.key   

我们可以通过如下的命令来进行查看:

openssl x509 -in ca/ca.crt -text -noout
$ openssl x509 -in ca/ca.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            a0:08:2b:4a:2e:42:27:1a:e9:b3:09:54:a4:f1:71:ed:6f:61:a6:45
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Elastic Certificate Tool Autogenerated CA
        Validity
            Not Before: Aug  8 04:28:33 2023 GMT
            Not After : Aug  7 04:28:33 2026 GMT
        Subject: CN = Elastic Certificate Tool Autogenerated CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:85:3c:66:37:4c:66:03:93:27:58:34:c9:c9:38:
                    5c:12:e0:1a:85:b4:89:23:5f:ed:ad:2e:df:8d:0b:
                    0a:0c:39:df:04:e2:43:34:03:92:c7:d0:4a:55:84:
                    78:1f:d7:0d:48:38:17:e9:a7:3b:93:11:2a:a4:f3:
                    b5:67:bf:d3:89:99:ff:67:1c:40:3c:bf:bf:d5:9a:
                    4d:3f:88:b4:76:5c:4f:c6:7e:a7:2b:92:53:f5:d8:
                    60:1d:39:03:e1:4f:b4:a3:06:ef:60:dd:db:be:c3:
                    25:4b:34:d1:42:a2:0c:c9:59:af:9c:90:6c:1f:8c:
                    3b:8f:cc:55:6f:f2:83:83:d7:7a:89:fd:3b:c1:a7:
                    91:53:b1:60:0f:2c:84:14:16:9d:7c:33:38:55:f0:
                    85:ec:e7:cf:64:c2:2a:00:f4:9d:04:8e:af:e2:54:
                    f1:6d:3a:81:3b:0c:ad:cd:21:6d:fe:02:4b:66:c7:
                    d0:17:1f:4a:f7:ad:30:49:ab:5e:aa:df:0b:8d:2e:
                    01:2d:c5:e6:30:95:60:0a:2b:06:59:21:7b:b9:6d:
                    60:93:9c:1b:ba:49:09:73:26:49:9d:61:97:c9:f4:
                    26:53:53:95:31:de:d4:c3:d3:cd:63:01:df:63:05:
                    fa:63:cf:6e:ed:e2:63:62:85:93:ea:7a:53:a7:b5:
                    4d:8f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                16:E4:55:54:1F:49:64:FB:8D:39:4C:9A:A1:67:9C:44:D0:49:47:10
            X509v3 Authority Key Identifier: 
                16:E4:55:54:1F:49:64:FB:8D:39:4C:9A:A1:67:9C:44:D0:49:47:10
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        12:a5:62:41:8d:e3:8f:5e:e4:ff:ec:6a:24:ba:f0:7b:b7:9c:
        00:28:81:45:d0:83:6b:dd:48:02:f6:21:c9:3c:45:da:ec:d3:
        24:a6:37:eb:bf:57:65:bb:50:05:aa:2d:8c:e4:da:15:01:9d:
        72:7b:4a:d6:79:42:30:dd:2f:da:a8:3a:9a:48:e5:4c:73:ef:
        ca:70:4f:b4:55:7e:a7:6e:43:3b:6a:e0:94:87:ec:a6:83:75:
        6c:c9:6a:a9:23:52:66:e8:59:c1:3b:0d:cf:2c:e0:33:01:e5:
        8a:81:a9:d7:3e:aa:68:c8:47:e2:c6:35:5d:49:b7:f8:3f:b4:
        5c:2d:d3:da:cd:67:f2:fc:4d:a5:45:0b:e8:c9:10:89:18:94:
        36:af:2e:c3:f2:1b:a6:80:06:55:32:ed:f2:83:a2:26:3a:58:
        7d:cd:51:fd:4f:e8:02:2f:66:63:6e:9d:36:c8:3f:32:8e:0d:
        67:cb:5f:7c:4c:62:73:a3:9b:ce:5e:ba:fb:92:81:64:b2:56:
        72:0d:69:3e:03:0c:7a:61:10:2c:2d:f5:d2:54:5f:de:42:b4:
        0c:4c:cb:65:99:e4:8a:fd:57:b0:ad:f8:23:00:35:fb:54:84:
        6d:32:b2:34:53:7a:99:40:b3:56:75:02:08:04:27:07:5e:4e:
        78:65:33:77
openssl x509 -in instance/instance.crt -text -noout
$ openssl x509 -in instance/instance.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ab:59:38:42:bc:5f:2d:0f:2b:22:e3:44:14:78:ed:5f:5e:73:fe:43
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Elastic Certificate Tool Autogenerated CA
        Validity
            Not Before: Aug  8 04:32:58 2023 GMT
            Not After : Aug  7 04:32:58 2026 GMT
        Subject: CN = instance
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a2:e6:6e:74:ce:52:8a:d8:3b:6b:3f:23:cb:a6:
                    e9:5e:83:55:6c:e1:77:53:0e:e1:9e:fd:18:cc:43:
                    57:a5:09:9c:e6:06:ab:89:cd:83:f6:4a:71:ab:1c:
                    f5:ed:74:26:15:67:52:27:d5:5c:b3:f3:c5:ba:ee:
                    41:cb:45:10:a9:84:b7:87:88:de:6f:ec:db:62:36:
                    b8:6e:84:ca:9d:99:da:8f:73:3f:d6:54:5e:88:7f:
                    1a:96:91:e6:e3:e6:17:c6:a8:df:d9:fa:b7:ad:de:
                    b1:d7:c6:dd:05:46:5f:2e:e1:c4:4f:f0:7d:95:7e:
                    d4:83:b6:b8:5a:7d:4e:51:b8:54:9b:76:09:6f:b6:
                    14:57:86:c3:77:0f:26:19:f9:d9:12:68:b8:4c:d5:
                    07:5c:2a:c5:7e:a2:53:b0:8b:bd:9c:d4:13:56:13:
                    ae:53:99:16:81:64:0c:9a:df:d1:9d:ff:f7:21:74:
                    01:08:bf:22:91:09:bd:b9:f3:12:dc:51:4b:29:54:
                    b6:09:d4:47:f0:b5:22:48:b9:d6:22:ac:2e:9a:43:
                    45:35:e4:8e:a0:c3:0a:88:97:a9:36:96:9d:a3:08:
                    df:fa:4c:51:05:2f:ef:80:51:56:02:0f:ee:5a:47:
                    53:75:20:23:7a:c5:a8:4d:65:67:e9:46:f6:a0:24:
                    0b:e7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                AF:83:15:0D:DF:5E:7F:55:84:07:7E:C4:F9:F4:5C:69:65:98:10:1B
            X509v3 Authority Key Identifier: 
                16:E4:55:54:1F:49:64:FB:8D:39:4C:9A:A1:67:9C:44:D0:49:47:10
            X509v3 Basic Constraints: 
                CA:FALSE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        20:8d:c2:d1:21:8e:82:9a:9c:7a:82:6c:d3:4e:c4:6b:cd:e5:
        99:ab:27:ee:0a:05:47:c1:d3:3e:b5:2a:29:07:a8:0c:79:f4:
        b5:1f:23:f9:c9:3f:26:ba:c2:2b:2a:9f:2d:d8:78:dc:77:8c:
        6a:4c:17:39:84:35:bc:d8:0c:e0:5d:14:59:ae:7f:a4:f6:4d:
        b9:ab:da:57:c7:ee:9c:48:ac:82:72:53:6b:1a:be:3f:1d:96:
        f0:de:70:df:5d:7f:5f:aa:a2:ed:27:94:2d:80:be:6a:b1:a0:
        b1:1a:56:25:67:b4:f6:d9:bb:80:fe:03:c8:07:76:9e:60:2e:
        60:3a:2f:f1:c9:83:83:4f:b2:ee:fe:ef:64:93:ac:5a:20:0d:
        18:cc:bc:3d:9c:9b:89:89:de:22:5b:1b:45:d1:66:c0:22:85:
        01:3b:98:b3:9b:f4:41:d9:45:56:a6:ea:bc:99:5f:71:e0:57:
        a8:39:10:c9:41:ed:cf:68:49:82:8d:b9:fb:56:8e:19:be:05:
        de:7e:bd:ed:88:6e:a7:0f:9c:b4:28:e8:bd:b5:12:d6:52:7f:
        1e:89:24:73:0d:39:61:32:66:e4:f6:99:78:86:e5:26:a5:c9:
        36:e3:66:a6:4f:97:76:c3:3d:cf:6d:17:47:d3:75:65:d4:a0:
        7a:88:16:aa

我们可以通过上面的证书来配置 Elasticsearch:

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: instance.key
xpack.security.transport.ssl.truststore.path: instance.crt
xpack.security.transport.http.enabled: true
xpack.security.transport.http.verification_mode: certificate
xpack.security.transport.http.client_authentication: required
xpack.security.transport.http.keystore.path: instance.key
xpack.security.transport.http.truststore.path: instance.crt

更多阅读的文章:

  • Elasticsearch:为日志分析设置安全的 Elasticsearch 管道

  • Elasticsearch:如何使用自定义的证书安装 Elastic Stack 8.x

  • Security:如何安装 Elastic SIEM 和 EDR

  • Elasticsearch:如何在不更新证书的情况下为集群之间建立互信

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/850836.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

【毕业项目】自主设计HTTP

博客介绍&#xff1a;运用之前学过的各种知识 自己独立做出一个HTTP服务器 自主设计WEB服务器 背景目标描述技术特点项目定位开发环境WWW介绍 网络协议栈介绍网络协议栈整体网络协议栈细节与http相关的重要协议 HTTP背景知识补充特点uri & url & urn网址url HTTP请求和…

C#程序的启动显示方案(无窗口进程发送消息) - 开源研究系列文章

今天继续研究C#的WinForm的实例显示效果。 我们上次介绍了Winform窗体的唯一实例运行代码(见博文&#xff1a;基于C#的应用程序单例唯一运行的完美解决方案 - 开源研究系列文章 )。这就有一个问题&#xff0c;程序已经打开了&#xff0c;这时候再次运行该应用程序&#xff0c;…

学习网络编程No.1【网络基础知识】

引言&#xff1a; 北京时间&#xff1a;2023/8/4/22:40&#xff0c;天苍苍野茫茫&#xff0c;风吹造地见牛羊&#xff0c;此时心潮澎湃&#xff0c;非常开心&#xff0c;啊哈哈哈&#xff01;因为就在刚刚我们终于把系统编程方面的知识给学完了&#xff0c;啊哈哈哈&#xff0…

科大讯飞分类算法挑战赛2023的一些经验总结

引言: ResNet是he kaiming大佬的早年神作&#xff0c;当年直接刷榜各大图像分类任务。ResNet是一种残差网络&#xff0c;咱们可以把它理解为一个子网络&#xff0c;这个子网络经过堆叠可以构成一个很深的网络&#xff0c;而ResNext在其基础上&#xff0c;进行了一定修改完善&am…

RabbitMQ在CentOS下的安装

RabbitMQ的版本是3.8.2 1.环境配置&#xff1a;CentOs 7.6以上版本&#xff0c;我的版本是7.9&#xff0c;不要对yum换源&#xff0c;否则可能会安装失败。 echo "export LC_ALLen_US.UTF-8" >> /etc/profile source /etc/profile 以上命令&#xff0c;是…

分立式BUCK电路原理与制作持续更新

一、分立式BUCK电路总体原理图 下面改图包含了电压环和电流环。 二、BUCK电路与LDO的区别 LDO不适合在压差大的环境下使用&#xff0c;因为三极管因为CE极承受了压差&#xff0c;压差越大损耗的功率就越大&#xff0c;将三极管换成MOS管&#xff0c;MOS管两端的压差很小所以效…

Linux安装配置nginx+php搭建以及在docker中配置

Linux安装配置nginxphp搭建以及在docker中配置 文章目录 Linux安装配置nginxphp搭建以及在docker中配置1.nginx源码包编译环境和安装相应的依赖1.1 安装编译环境1.2 安装pcre库、zlib库和openssl库 2.安装nginx2.1 在[nginx官网](https://nginx.org/en/download.html)上获取源码…

uni-app 封装api请求

前端封装api请求 前端封装 API 请求可以提高代码的可维护性和重用性&#xff0c;同时使得 API 调用更加简洁和易用。 下面是一种常见的前端封装 API 请求的方式&#xff1a; 创建一个 API 封装模块或类&#xff1a;可以使用 JavaScript 或 TypeScript 创建一个独立的模块或类来…

解决mysql常见错误,安装mysql提示Install/Remove of the service Denied!/显示无法启动/服务名无效

​​​​​1.概述问题 1.1 在安装mysql中提示Install/Remove of the service Denied! 1.2 MySQL 服务没有加载到电脑上时&#xff0c;有以下原因&#xff1a; 1.2.1 端口被占用&#xff0c;需要更改端口&#xff0c;也可以卸载重装mysql。 1.2.2 启动 MySQL 服务是就会提示 服务…

vue3中使用vue-simple-uploader

vue-simple-uploader本身是基于vue2的&#xff0c;直接npm i vue-simple-uploader -S下载下来版本的是0.7.6。在vue3中无法使用会报错。 解决&#xff1a;使用next安装接下来要发布的版本就会下载1.0.1版本&#xff0c;即可使用vue3 npm i vue-simple-uploadernext -S 注意&…

安全杂记 - Linux文本三剑客之awk

目录 1.什么是AWK2.正则表达式3.语法4.内置变量示例printf命令5.复现awk经典实例(1).插入几个新字段(2).格式化空白(3).筛选IPv4地址(4).筛选给定时间范围内的日志 1.什么是AWK awk、grep、sed是linux操作文本的三大利器&#xff0c;合称文本三剑客。三者的功能都是处理文本&a…

java+springboot+mysql校园通讯录管理系统

项目介绍&#xff1a; 使用javaspringbootmysql开发的校园通讯录管理系统&#xff0c;系统包含超级管理员、管理员、用户角色&#xff0c;功能如下&#xff1a; 超级管理员&#xff1a;管理员管理&#xff1b;部门管理&#xff1b;用户管理&#xff1b;留言管理&#xff1b;公…

4.时间与窗口

4.1 时间类型 在Flink中定义了3种时间类型&#xff1a; 事件时间&#xff08;Event Time&#xff09;:事件的发生事件&#xff0c;数据本身自带时间字段。处理时间&#xff08;Processing Time&#xff09;&#xff1a;计算引擎处理时的系统时间。和摄取时间&#xff08;Inge…

golang协程池(goroutine池)ants库实践

golang中goroutine由运行时管理&#xff0c;使用go关键字就可以方便快捷的创建一个goroutine,受限于服务器硬件内存大小&#xff0c;如果不对goroutine数量进行限制&#xff0c;会出现Out of Memory错误。但是goroutine泄漏引发的血案&#xff0c;想必各位gopher都经历过&#…

分布式任务调度平台XXL-JOB学习笔记-helloworld运行

环境&#xff1a;win10 eclipse java17 mysql8.0.17 xxl-job 2.4 源码&#xff1a;https://github.com/xuxueli/xxl-job/ 导入时按Existing Maven Projects导入&#xff0c;先导入xxl-job-admin&#xff08;管理平台&#xff09;和xxl-job-executor-sample-springboot&#x…

帆软设计器大坑:导出的模板会改变数据集的类型

今天早上在调试一个帆软决策报表&#xff08;*.frm&#xff09;中的可视化图表。无意中发现之前自己做的数据源变成了内置数据源&#xff08;ps.不会更新的静态数据&#xff09;。 查看了原来复制用的模板&#xff1a; 另存为模板&#xff08;含数据&#xff09;&#xff0c;放…

LVS-DR模式集群构建过程演示

一、工作原理 LVS的工作原理 1.当用户向负载均衡调度器&#xff08;Director Server&#xff09;发起请求&#xff0c;调度器将请求发往至内核空间 2.PREROUTING链首先会接收到用户请求&#xff0c;判断目标IP确定是本机IP&#xff0c;将数据包发往INPUT链 3.IPVS是工作在IN…

THS4301 振荡问题排查及解决过程

项目背景简介: 本项目是基于一款微弱信号处理前级模拟电路设计方案。 问题描述: 在生产标定中,发现以前的程序在小量程标定后,切换到差分和单端后,两者的直流偏置不一样,且切换到差分输入时,能发现有振荡现象(有设备单端输入也有振荡); 排查分析过程: 1)首先可以…

车云一体化系统基础理论

车云一体化系统基础理论 介绍目标正文 参考文档 介绍 最近在调研车云链路一体化的整套解决方案&#xff0c;涉及分布式消息队列&#xff08;RocketMQ&#xff09;、分布式存储&#xff08;Doris&#xff09;、离线数据处理&#xff08;Spark&#xff09;、用户行为日志分析&am…

二级python和二级c哪个简单,二级c语言和二级python

大家好&#xff0c;小编为大家解答二级c语言和二级office一起报可以吗的问题。很多人还不知道计算机二级c语言和python哪个好考&#xff0c;现在让我们一起来看看吧&#xff01; 介绍Python有很多库和使用Qt编写的接口,这自然创建c调用Python的需求。一路摸索,充满艰辛的添加头…