Beginner lost and confused about SSL configuration -- please help guide

Elasticsearch: 6.3.0

Search Guard: 6

Operating System: Server 2012 R2

Java: 1.8.0_181


I am trying to setup searchguard with SSL for a developer on a team. I don’t have any pre-existing knowledge or experience with searchguard or elasticsearch.

I have been following the instructions and docs at Configuring TLS | Security for Elasticsearch | Search Guard and have downloaded the search guard TLS tool, but I am quite lost. I am familiar with how these are setup usually in Linux – in haproxy, we just specify one pem file to use these cyphers.

But when I look at searchguard, it is asking for many different files. a PEM, a key pem, a root ca pem — I don’t know how to interpret these and match them to what I have. I have a key, which I got from a csr, and then the CA gave me a ca-bundle and a .crt . I was able to create the PEM needed for my linux application, but I don’t know to interpret any of these lines-

searchguard.ssl.transport.pemcert_filepath: .crt

searchguard.ssl.transport.pemkey_filepath: star.bundle

searchguard.ssl.transport.pemtrustedcas_filepath: STAR_ca-bundle

(my attempt at trying to match ^^)

I had also tried with the keystore settings, but 1) I kept getting a “no key alias found as name xyz” when it was specified explicitly in my config. and 2) I wasn’t able to differentiate but a keystore and a truststore – I don’t think having them both the same (even if all necessary documents were imported) worked. I’ve also tried multiple combinations of my files in the above config sections.

I was only able to get ES running if I allowed unsafe demo certs – if I didn’t have that, it would always error out saying it found demo certs (even if I moved everything out of the config folder, something Im missing I guess). I really don’t want to have to enable that setting on production just to get ES to run…

Finally, the only thing I see later is “Unknown Certificate” exception and “General SSL Error” // “SSL Engine”

I tried reading the troubleshooting TLS section, but the details there are over my head, and I don’t even know how to validate a lot of the statements there. In addition to googling, and trying to read docs, I’ve hit a dead end.

I am completely lost in how to set this up and why I can’t just use my one wildcard pem file to make this work.

All I need is someone to give me a simple description on what files go where, as if I was 10 years old. This is all new to me, and I would really really appreciate some amount of guidance here. I know I have all the right files, I just don’t know how to make sense out of any of this.