This document provides steps to enable SSL/HTTPS for an Elasticsearch server. It involves generating certificates, configuring Elasticsearch, and enabling TLS for both transport and HTTP layers. The process includes generating a CA certificate, creating node certificates signed by the CA, editing the Elasticsearch configuration file, and restarting Elasticsearch to enable HTTPS.

1. - Prepared By Omkar Rane
Enabling SSL/https for Elasticsearch server
Step 1) generate CA (certificate Authority)
*Note: for production purpose use credentials.
Ref:
https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup.html#generate-
certificates
go to bin folder and open command prompt .
1) elasticsearch-certutil ca and press enter
2) When prompted, accept the default file name, which is elastic-stack-ca.p12. This file contains
the public certificate for your CA and the private key used to sign certificates for each node.
3) Enter a password for your CA. You can choose to leave the password blank if you’re not
deploying to a production environment.
4) On any single node, generate a certificate and private key for the nodes in your cluster. You
include the elastic-stack-ca.p12 output file that you generated in the previous step.
Step 2)
5) elasticsearch-certutil cert --ca elastic-stack-ca.p12 and press enter
6) Name of the CA file used to sign your certificates. The default file name from the elasticsearch-
certutil tool is elastic-stack-ca.p12.
7) Enter the password for your CA, or press Enter if you did not configure one in the previous step.
8) Create a password for the certificate and accept the default file name.
9) The output file is a keystore named elastic-certificates.p12. This file contains a node certificate,
node key, and CA certificate.

2. - Prepared By Omkar Rane
Enter previous password used for CA generation or keep it blank
Output: certificates will be generated to main directory move to config folder

3. - Prepared By Omkar Rane
Step 3) Configuration for elasticsearch.yml
Additional : (for production)
1. If you entered a password when creating the node certificate, run the following commands to
store the password in the Elasticsearch keystore:
./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
2. Complete the previous steps for each node in your cluster.
3. On every node in your cluster, start Elasticsearch. The method
for starting and stopping Elasticsearch varies depending on how you installed it.

4. - Prepared By Omkar Rane
Enable TLS on the HTTP layer for Elasticsearch
Ref: https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup-
https.html#security-basic-setup-https
When you run the elasticsearch-certutil tool in http mode, the tool asks several questions about how
you want to generate certificates. While there are numerous options, the following choices result in
certificates that should work for most environments.
Encrypt HTTP client communications for Elasticsearchedit
1. On every node in your cluster, stop Elasticsearch and Kibana if they are running.
2. On any single node, from the directory where you installed Elasticsearch, run the Elasticsearch
HTTP certificate tool to generate a Certificate Signing Request (CSR).
./bin/elasticsearch-certutil http
This command generates a .zip file that contains certificates and keys to use with Elasticsearch
and Kibana. Each folder contains a README.txt explaining how to use these files.

5. - Prepared By Omkar Rane
a. When asked if you want to generate a CSR, enter n.
b. When asked if you want to use an existing CA, enter y.
c. Enter the path to your CA. This is the absolute path to the elastic-stack-ca.p12 file
that you generated for your cluster. Enter CA certificate generated path
d. Enter the password for your CA.
e. Enter an expiration value for your certificate. You can enter the validity period in
years, months, or days. For example, enter 90D for 90 days.
f. When asked if you want to generate one certificate per node, enter y.
Each certificate will have its own private key, and will be issued for a specific
hostname or IP address.
g. When prompted, enter the name of the first node in your cluster. Use the same
node name that you used when generating node certificates.
h. Enter all hostnames used to connect to your first node. These hostnames will be
added as DNS names in the Subject Alternative Name (SAN) field in your
certificate.
List every hostname and variant used to connect to your cluster over HTTPS.
i. Enter the IP addresses that clients can use to connect to your node.

6. - Prepared By Omkar Rane
j. Repeat these steps for each additional node in your cluster.

7. - Prepared By Omkar Rane
2. After generating a certificate for each of your nodes, enter a password for your
private key when prompted.
3. Unzip the generated elasticsearch-ssl-http.zip file. This compressed file
contains one directory for both Elasticsearch and Kibana.
Final output:
3. Transfer files to config
->
There are three files in this directory:
1. This README file

8. - Prepared By Omkar Rane
2. http.p12
3. sample-elasticsearch.yml
## http.p12
The "http.p12" file is a PKCS#12 format keystore.
It contains a copy of your certificate and the associated private key.
You should keep this file secure, and should not provide it to anyone else.
You will need to copy this file to your elasticsearch configuration directory.
a. Add the password for your private key to the secure settings in Elasticsearch.
elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
b. Edit the elasticsearch.yml file to enable HTTPS security and specify the location of
the http.p12 security certificate.
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: http.p12

9. - Prepared By Omkar Rane
Then re-run elasticsearch.bat from bin folder
Open URL : https://localhost:9200/