elasticsearch-certutil
Elasticsearch TLS certificate generator
TLDR
SYNOPSIS
elasticsearch-certutil mode [options]
DESCRIPTION
elasticsearch-certutil generates certificates and certificate authorities for securing Elasticsearch clusters. It simplifies the certificate management process by automating the creation of self-signed certificates, certificate authorities, and certificate signing requests.The tool is essential for enabling TLS/SSL encryption on both the transport layer (node-to-node communication) and the HTTP layer (client API access). It generates certificates in PKCS#12 or PEM format and can include multiple DNS names and IP addresses for cluster deployments.elasticsearch-certutil streamlines security configuration required for production Elasticsearch deployments and enables features like Elastic Stack security.
PARAMETERS
--ca file
Path to existing CA in PKCS#12 format (cert mode).--ca-cert file
Path to CA certificate in PEM format.--ca-key file
Path to CA private key in PEM format.--ca-pass password
Password for the CA private key.--out file
Output file path.--pem
Output in PEM format instead of PKCS#12.--dns names
Comma-separated list of DNS names for the certificate.--ip addresses
Comma-separated list of IP addresses for the certificate.--name name
Filename (without extension) for generated certificate.--pass password
Password for the generated private key.--days n
Certificate validity period in days (default: 1095).--keysize bits
RSA key size in bits (default: 2048).--multiple
Generate certificates for multiple instances.--in file
YAML file describing instances to generate certificates for.--self-signed
Create a self-signed certificate (cert mode).-s, --silent
Minimal output.-v, --verbose
Verbose output.
SUBCOMMANDS
ca
Generate certificate authority.cert
Generate X.509 certificates.csr
Generate certificate signing requests.http
Generate HTTP layer certificates.
