elasticsearch-certutil
Generate Elasticsearch security certificates
TLDR
Generate a new Certificate Authority (CA) with default options
Generate a new certificate using the built-in CA
Generate certificates non-interactively and output PEM files
Generate HTTP certificates with the built-in CA
Generate transport certificates non-interactively
Generate a certificate signing request (CSR)
Generate encrypted keystore passwords
Generate a keystore password with a specified value
SYNOPSIS
elasticsearch-certutil ca|cert|http [--option <value>]...
PARAMETERS
--ca <path>
Path to CA keystore (for cert and http).
--ca-pass <password>
Password for CA keystore.
--ca-dn <DN>
Distinguished Name for CA (default: CN=Elasticsearch root CA).
--days <days>
Certificate validity in days (default: 1095).
--dns <hostname>
DNS name in SAN (repeatable).
--ip <ip>
IP address in SAN (repeatable).
--name <name>
Node name for certificate (default: node).
--out, --file <path>
Output path (default: elastic-stack-ca.p12 or elastic-certificates.p12).
--pass <password>
Password for output keystore (default: empty).
--pem
Output PEM files instead of PKCS#12.
--in <path>
File with CSRs to sign (cert only).
--multiple
Generate certs for all hosts in --in (cert only).
--keep-ca-key
Retain CA private key after use (cert only).
--silent
Suppress non-error output.
--verbose
Enable detailed output.
--help
Show help.
--version
Show version.
DESCRIPTION
elasticsearch-certutil is a command-line tool included with Elasticsearch distributions to generate self-signed X.509 certificates, Certificate Authorities (CAs), and Certificate Signing Requests (CSRs) for securing cluster communications. It supports TLS encryption for node-to-node transport layer and HTTP REST API endpoints.
Key use cases include creating a root CA with ca subcommand, signing node certificates with cert, and generating HTTP-specific certificates with http. Certificates are output in PKCS#12 (.p12) format by default for easy import into Elasticsearch keystores, or PEM format for broader compatibility.
This utility simplifies security setup without external tools like OpenSSL, automating multi-node certificate generation and handling Distinguished Names (DNs), Subject Alternative Names (SANs) for DNS/IP, and password protection. It's crucial for production clusters enabling xpack.security features, ensuring encrypted data in transit and optional client authentication.
CAVEATS
Requires Java runtime; run as elasticsearch user; generated certs are self-signed (use external CA for prod); PKCS#12 passwords empty by default—set explicitly; not for rolling cluster upgrades without planning.
SUBCOMMANDS
ca: Create root CA.
cert: Sign node CSRs/certificates.
http: Generate HTTP CA + certs.
EXAMPLES
CA: elasticsearch-certutil ca --out elastic-stack-ca.p12
Node certs: elasticsearch-certutil cert --ca elastic-stack-ca.p12 --out certs.p12
HTTP: elasticsearch-certutil http --out http.p12
HISTORY
Introduced in Elasticsearch 6.8 (2019) with free basic security license; evolved in 7.x+ for HTTP certs and PEM support; integral to Elastic Stack 8.x security bootstrapping.
