The whole point of using TLS is to being able to add and remove nodes dynamically from your cluster, without having to touch the other nodes:
The trustore contains the Root CA which is used to sign the node certificates.
The keystore contains the node certificate (and intermediat certificates if any).
When a node connects, the certificate in the keystore is validated against the Root CA in the truststore. The only requirement is that the node certificate was signed by the truststore.
So when adding a node, you do not need to touch the truststore or the keystore files of the other nodes, given that the certificate used by the new node was signed by the cert in the truststore.
Although not recommended, you can use the same node certificate on all nodes. You will not be able to use hostname verification or hostname DNS lookups though since these would vary across your nodes.
On Monday, August 7, 2017 at 11:37:46 AM UTC+2, email@example.com wrote:
Concerning transport-level TLS, can someone explain what needs to be in place when expanding an ES cluster with SG? Some questions I have are:
- Does each node need its own cert? (I assume yes)
- If adding a new node, do all other truststores need to be updated to include the cert of the new node?
Going back to my first question, is it at all possible to use one node cert for all nodes?
Please and thanks,