Renew Certificates

Search Guard
1

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version -->6

  • Installed and used enterprise modules, if any->no

  • JVM version and operating system version->1.8 and centos 6.7

  • Search Guard configuration files -->I will provide the information

  • Elasticsearch log messages on debug level

  • Other installed Elasticsearch or Kibana plugins, if any

How to renew SSL certificates in serachguard ? Could you please brief me the process

I am thinking

1.install new certificates with keytool

2.self sign them and install with sgadmin

3.configure them in elasticsearch.yml file

Please let me know the process.

Thank You

2

This depends if you want to do a rolling restart or if you can afford a full cluster restart. In any case, you do not “install” any certificates with sgadmin, they are just configured in elasticsearch.yml. So in case you can do a full cluster restart:

  1. Generate new certificates. You need at least:

  • Root CA

  • One node certificate (although it’s advisable to have separate certificates for each node)

  • One admin certificate

  1. Stop all nodes

  2. Place the root and node certs in the config directory of ES

  3. Change elasticsearch.yml to point to the new certs

  4. Start all nodes

That should be all.

···

On Friday, June 29, 2018 at 10:08:02 PM UTC+2, Rudra wrote:

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version -->6
  • Installed and used enterprise modules, if any->no
  • JVM version and operating system version->1.8 and centos 6.7
  • Search Guard configuration files -->I will provide the information
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

How to renew SSL certificates in serachguard ? Could you please brief me the process

I am thinking

1.install new certificates with keytool

2.self sign them and install with sgadmin

3.configure them in elasticsearch.yml file

Please let me know the process.

Thank You

3

Should i run any sgadmin commands after generating new certificates for searchguard.

Thanks for the help.

···

On Jul 1, 2018, at 5:51 AM, Jochen Kressin jkressin@floragunn.com wrote:

This depends if you want to do a rolling restart or if you can afford a full cluster restart. In any case, you do not “install” any certificates with sgadmin, they are just configured in elasticsearch.yml. So in case you can do a full cluster restart:

  1. Generate new certificates. You need at least:
  • Root CA
  • One node certificate (although it’s advisable to have separate certificates for each node)
  • One admin certificate
  1. Stop all nodes
  1. Place the root and node certs in the config directory of ES
  1. Change elasticsearch.yml to point to the new certs
  1. Start all nodes

That should be all.

On Friday, June 29, 2018 at 10:08:02 PM UTC+2, Rudra wrote:

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version -->6
  • Installed and used enterprise modules, if any->no
  • JVM version and operating system version->1.8 and centos 6.7
  • Search Guard configuration files -->I will provide the information
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

How to renew SSL certificates in serachguard ? Could you please brief me the process

I am thinking

1.install new certificates with keytool

2.self sign them and install with sgadmin

3.configure them in elasticsearch.yml file

Please let me know the process.

Thank You

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d2381b32-7c3d-4c5a-a872-1050ced280ef%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

4

Hi Rudra,

can you please share the commands for below steps

  1. Generate new certificates. You need at least:
  • Root CA
  • One node certificate (although it’s advisable to have separate certificates for each node)
  • One admin certificate