- 在es的bin目录下执行./elasticsearch-certutil ca生成elastic-stack-ca.p12
[root@localhost elasticsearch-7.6.0]# cd bin/
[root@localhost bin]# ls
elasticsearch elasticsearch-cli elasticsearch-keystore elasticsearch-saml-metadata elasticsearch-sql-cli-7.6.0.jar x-pack-security-env
elasticsearchbak elasticsearch-croneval elasticsearch-migrate elasticsearch-setup-passwords elasticsearch-syskeygen x-pack-watcher-env
elasticsearch-certgen elasticsearch-env elasticsearch-node elasticsearch-shard elasticsearch-users
elasticsearch-certutil elasticsearch-env-from-file elasticsearch-plugin elasticsearch-sql-cli x-pack-env
[root@localhost bin]# ./elasticsearch-certutil ca代码语言:javascript复制
Please enter the desired output file [elastic-stack-ca.p12]: elastic-stack-ca.p12
Enter password for elastic-stack-ca.p12 :
- 生成 elastic-stack-ca.p12后,执行命令elasticsearch-certutil,注意elastic-stack-ca.p12文件必须是完整路径,否则报错
[root@localhost bin]# ./elasticsearch-certutil cert --ca /home/summer/elasticsearch-7.6.0/elastic-stack-ca.p12
Enter password for CA (/home/elasticsearch/elastic-stack-ca.p12) :
Please enter the desired output file [elastic-certificates.p12]: elastic-certificates.p12
Enter password for elastic-certificates.p12 : #这里可以不用输入密码,直接按回车键
Certificates written to /home/elasticsearch/elastic-certificates.p12
- 生成的elastic-certificates.p12文件拷贝到每个节点的config目录下
- 修改配置elasticsearch.yml elasticsearch.yml配置文件中增加下列配置
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
- 配置密码
./elasticsearch-setup-passwords interactive
验证:浏览器访问弹出要求输入账号密码框
