I’ve trying to use offline TLS Generator to generate certificates. But it is not generating key store for me. What can I do to generate keystore files. Below are the configurations I’m passing to the sgtlstool.

Self-generated certificate authority

If you want to create a new certificate authority, you must specify its parameters here.

You can skip this section if you only want to create CSRs

ca:
root:
# The distinguished name of this CA. You must specify a distinguished name.
# example: dn: CN=root.ca.example.com,OU=CA,O=Example Com, Inc.,DC=example,DC=com
dn: CN=Imanami.ca.example.com,OU=CA,O=Example Com, Inc.,DC=example,DC=com

  # The size of the generated key in bits
  keysize: 2048
  
  # The validity of the generated certificate in days from now
  validityDays: 7500
  
  # Password for private key
  #   Possible values: 
  #   - auto: automatically generated password, returned in config output; 
  #   - none: unencrypted private key; 
  #   - other values: other values are used directly as password   
  pkPassword: auto 
  
  # The name of the generated files can be changed here
  file: Imanami-ca.pem
  
  # If you have a certificate revocation list, you can specify its distribution points here
  # crlDistributionPoints: URI:https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl

If you want to use an intermediate certificate as signing certificate,

please specify its parameters here. This is optional. If you remove this section,

the root certificate will be used for signing.

intermediate:
# The distinguished name of this CA. You must specify a distinguished name.
# example: dn: CN=root.ca.example.com,OU=CA,O=Example Com, Inc.,DC=example,DC=com
dn: CN=signing.ca.example.com,OU=CA,O=Example Com, Inc.,DC=example,DC=com

  # The size of the generated key in bits   
  keysize: 2048
  
  # The validity of the generated certificate in days from now      
  validityDays: 7500

  pkPassword: auto
        
  # If you have a certificate revocation list, you can specify its distribution points here      
  crlDistributionPoints: URI:https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl

Default values and global settings

defaults:

  # The validity of the generated certificate in days from now
  validityDays: 7500 
  
  # Password for private key
  #   Possible values: 
  #   - auto: automatically generated password, returned in config output; 
  #   - none: unencrypted private key; 
  #   - other values: other values are used directly as password   
  pkPassword: auto      

  # Specifies to recognize legitimate nodes by the distinguished names
  # of the certificates. This can be a list of DNs, which can contain wildcards.
  # Furthermore, it is possible to specify regular expressions by
  # enclosing the DN in //. 
  # Specification of this is optional. The tool will always include
  # the DNs of the nodes specified in the nodes section.
  # 
  # Examples:      
  # - "CN=*.example.com,OU=Ops,O=Example Com\\, Inc.,DC=example,DC=com"
  # - 'CN=node.other.com,OU=SSL,O=Test,L=Test,C=DE'
  # - 'CN=*.example.com,OU=SSL,O=Test,L=Test,C=DE'
  # - 'CN=elk-devcluster*'
  # - '/CN=.*regex/' 

  # nodesDn:

  # If you want to use OIDs to mark legitimate node certificates, 
  # the OID can be included in the certificates by specifying the following
  # attribute
  
  # nodeOid: "1.2.3.4.5.5"
  
  # The length of auto generated passwords
  generatedPasswordLength: 12
  
  # Set this to true in order to generate config and certificates for 
  # the HTTP interface of nodes
  httpsEnabled: true
  
  # Set this to true in order to re-use the node transport certificates
  # for the HTTP interfaces. Only recognized if httpsEnabled is true
  
  # reuseTransportCertificatesForHttp: false
  
  # Set this to true to enable hostname verification
  #verifyHostnames: false
  
  # Set this to true to resolve hostnames
  #resolveHostnames: false
  
  # Use elliptic curves instead of RSA, Default is false.
  #useEllipticCurves: true
  
  # The curve to be used (default is NIST P-384)
  #ellipticCurve: secp256k1

  # Signature algorithm (for RSA default is SHA256withRSA, for EC its SHA256withECDSA)
  #signatureAlgorithm: SHA512withRSA

Nodes

Specify the nodes of your ES cluster here

nodes:
# The node name is just used as name of the generated files

• name: Imanami
  dn: CN=Imanami.example.com,OU=Ops,O=Example Com, Inc.,DC=example,DC=com

  DNS names of this node. Several names can be specified as list

  dns:

  - node1.example.com

  - node1.exampleinc.com

  The IP addresses of this node. Several addresses can be specified as list

  ip: 10.0.2.1

  If you want to override the keysize, pkPassword or validityDays values from

  the defaults, just specify them here.

Clients

Specify the clients that shall access your ES cluster with certificate authentication here

At least one client must be an admin user (i.e., a super-user). Admin users can

be specified with the attribute admin: true

clients:
# The client name is just used as name of the generated files

• name: demouser
  dn: CN=demouser.example.com,OU=Ops,O=Example Com, Inc.,DC=example,DC=com

• name: sgadmin
  dn: CN=sgadmin.example.com,OU=Ops,O=Example Com, Inc.,DC=example,DC=com
  admin: true

  To mark the client as super-user

  admin: true

  If you want to override the keysize, pkPassword or validityDays values from

  the defaults, just specify them here.

The TLS generator is for PEM certificates only. PEM is the preferred format of TLS certificates in Search Guard. Is there any reason you need the certificates as .jks?

If you need the certificates in a keystore, you can simply use the Java keytool command to import the certificates to an existing keystore:

As an alternative you can also use our online TLS generator:

But please note that since the certificates are generated on our servers you should not use them in production.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.