Keystore best practices

Hi,

i managed to run and connect to elastic with search guard in single mode and it looks great.
I setup a cluster with the exact same config and truststore and keystore for all nodes.
Is it ok from security point of view to have the same keystore & truststore for all nodes?

if not, does it mean that i if i create a keystore per node then i need to add this keystore to the truststore?
in that case, am i supposed to update the truststore file on all nodes and clients everytime i’m adding a node?

is there any best practice document that i can follow that summarizes the topic?

Best,
Ofir

That really depends on what level of security you require. We do have customers that use the same certificates (keystores) on all their nodes. And this is a perfectly valid scenario.

What this setup does not give you is hostname verification and DNS lookups:

When Search Guard receives a certificate, it is able to compare the hostname that is configured in the certificate with the hostname of the node the request comes from. Only if they match the certificate is deemed valid.

You can also take that one step further and add DNS lookups into the mix. If this is enabled, then we perform a DNS lookup of the hostname in addition. Only if the hostname resolves we deem the certificate valid.

If you use one certificate (keystore), then this is not really possible, since you use the same cert for all nodes.

But not all users require that level of security, and we do have customers that run a setup where they have one certificate per node in production.

Thank you for the answer. Much appreciated.
My customers security is very strict so If I put different key store per node for http Ssl. How would that be done or manageable?

You can not have multiple key stores per node. But you can multiple certificates in one keystore and refer to them via their aliases: searchguard.ssl.http.keystore_alias

See https://docs.search-guard.com/latest/configuring-tls#rest-layer-tls-1 for more details.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.