SearchGuard证书配置
增加hosts
192.168.10.120 node1.company.com
192.168.10.xxx node2.company.com
192.168.10.xxx node3.company.com
-
TLS工具安装
- 下载TLS工具
https://repo1.maven.org/maven2/com/floragunn/search-guard-tlstool/1.5/ - 解压unzip search-guard-tlstool-1.6.zip tlstool-1.6
- 下载TLS工具
-
TLS生成证书配置
- 复制
<tlstool directory>
/config/example.yml 并修改成<tlstool-1.6>/config/tlsconfig.yml(名字随意) - company 是公司名称
- ca: 根证书配置
- node: 节点证书配置
- clients: 客户端证书配置
- 复制
###
### Self-generated certificate authority
###
#
# If you want to create a new certificate authority, you must specify its parameters here.
# You can skip this section if you only want to create CSRs
#
ca:
root:
# The distinguished name of this CA. You must specify a distinguished name.
dn: CN=root.ca.company.com,OU=CA,O=company Com\, Inc.,DC=company,DC=com
# The size of the generated key in bits
keysize: 2048
# The validity of the generated certificate in days from now
validityDays: 3650
# Password for private key
# Possible values:
# - auto: automatically generated password, returned in config output;
# - none: unencrypted private key;
# - other values: other values are used directly as password
pkPassword: auto
# The name of the generated files can be changed here
file: root-ca.pem
# If you want to use an intermediate certificate as signing certificate,
# please specify its parameters here. This is optional. If you remove this section,
# the root certificate will be used for signing.
intermediate:
# The distinguished name of this CA. You must specify a distinguished name.
dn: CN=signing.ca.company.com,OU=CA,O=company Com\, Inc.,DC=company,DC=com
# The size of the generated key in bits
keysize: