Cannot upload SG cover Elasticsearch. How to add SubjectAltName in root-ca.pem file

#1

Hi,

I have installed Search Guard in LInux VM. Suppose IP is 10.123.44.99.
Now when I try to upload the data using an external tool jar file from my local machine. Even after providing root-ca.pem certificate with the truststore(which was the error) it shows another error stating that it does not recognize the IP.

Upon some googling I found that I need to add SubjectAltName in the certificate.
i.e the domain name of the VM I have deployed my elasticsearch into.

I also found out that we cannot add it in the already created certificate (here.

So if I cannot add SubjectAltName in root-ca.pem as it will disrupt the signature Is there some other possible option?

If somehow I manage to create a .pem certificate of my own. As instructed in this link.
How can I use it instead of root-ca.pem? Which seem like a complicated task cause I think other certificates are also dependent on this certificate or something.

Also, To add on to this topic.
I checked online TLS certificate generator platform of Search Guard.
Where we fill in our email, company name, and hostname and they send self signed certificates.
But it his mentioned that IP addresses are not allowed.

Thank you

0 Likes

#2

The easiest way by far to generate all TLS certificates needed for running Search Guard is to use our offline TLS generator tool:

The way it works is that you create a yaml configuration file which describes what certificates it should generate, what the hostname and/or IP adresses in the SAN section should look like etc.

The tool will then generate all certificates for you, including elasticsearch.yml configuration snippets.

For further information you can also dive into this three article blog post series on our website:

1 Like

assigned jkressin #3
0 Likes