We have an internal CA. We work with Windows environment.
How many certificates should I generate in our CA?? Which common and subject names??
This can be done in several ways, but best practice is to generate one certificate per node, and one certificate that can be used for administering Search Guard.
The common name and subject name is really up to you, if you have an internal CA then I would assume you have some internal guidelines for that. Search Guard makes no assumption on the DN of the certificate at all.
You should also add the hostname and/or IP addresses of your ES nodes as Subject Alternative Name, as you would do with any TLS certificate for, say, a webserver.
The DNs of the node certificates and the DN of the admin certificate then need to be configured in elasticsearch.yml, as described in the docs:
Chapter “Configuring Node certificates” and “Configuring Admin certificates”
···
On Tuesday, November 14, 2017 at 9:06:51 AM UTC+1, carlosdlra wrote:
We have an internal CA. We work with Windows environment.
How many certificates should I generate in our CA?? Which common and subject names??