As I said in the first post, my ES+SG nodes live in containers.
I have 2 options for how to provide the same signing CA for all nodes:
- To generate and add it during the image build.
- Require the user to generate it before running the instance and somehow add it to the containers.
The first option doesn’t work, because all instances created from my images will have the same signing CA. Thus, any user from any instance will have an administrative certificate and administrative access to any other instance.
The second option doesn’t work, because I would like to provide the simplest and automated use of my images. User must perform additional steps to generate a root and signing CA before running his instance. Then user must push the signing CA to the containers. Mechanism for pushing the signing CA will be different for different container orchestration systems.
To avoid the disadvantages of these two options, I had a plan to generate a signing CA and other certificates for each node in the instances at the start. But with this scenario, individual nodes will not communicate because of different signing CA. That why I asked for possibility to use plain http for the transport layer.
But that is looks like not possible.
So, now I have a plan to use option#1 (when root/signing CA are generated during image build time), but to disable client certificates for the REST layer. Thus, user from one instance will not have access to other instances by administrative certificate. It seems this solution meets my requirements.
Thank you for your help and support!