elasticsearch-certutil

Elasticsearch TLS certificate generator

TLDR

Generate CA certificate

$ elasticsearch-certutil ca

Generate node certificate

$ elasticsearch-certutil cert --ca [elastic-stack-ca.p12]

Generate CSR

$ elasticsearch-certutil csr

Generate HTTP certificates

$ elasticsearch-certutil http

Output in PEM format

$ elasticsearch-certutil ca --pem

SYNOPSIS

elasticsearch-certutil mode [options]

elasticsearch-certutil generates certificates and certificate authorities for securing Elasticsearch clusters. It simplifies the certificate management process by automating the creation of self-signed certificates, certificate authorities, and certificate signing requests.
The tool is essential for enabling TLS/SSL encryption on both the transport layer (node-to-node communication) and the HTTP layer (client API access). It generates certificates in PKCS#12 or PEM format and can include multiple DNS names and IP addresses for cluster deployments.
elasticsearch-certutil streamlines security configuration required for production Elasticsearch deployments and enables features like Elastic Stack security.

PARAMETERS

--ca file

CA certificate to use.

--out file

Output file path.

--pem

Output in PEM format.

--dns names

DNS names for certificate.

--ip addresses

IP addresses for certificate.

--pass password

Password for output file.

SUBCOMMANDS

Generate certificate authority.

cert

Generate X.509 certificates.

csr

Generate certificate signing requests.

http

Generate HTTP layer certificates.