How to configure SSL/TLS in Elasticsearch

13 feb 2024 2 min di lettura
How to configure SSL/TLS in Elasticsearch
Indice dei contenuti


In the digital age, protecting data in transit and at rest is critical for any organization. Elasticsearch, a popular open source search and analytics engine, is no exception. It is widely used for analyzing log or event data, full-text search, and complex queries. However, without adequate security measures, sensitive data can be vulnerable to interception and unauthorized access. Enabling SSL/TLS ( Transport Layer Security ) in Elasticsearch is a crucial step in safeguarding your data.

This comprehensive guide outlines the steps to set up SSL/TLS, ensuring greater security for your Elasticsearch cluster.


Before you get started, make sure you have the following:

  • A configured and working Elasticsearch cluster.
  • Administrative access to Elasticsearch configuration files.
  • A valid SSL/TLS certificate. You can obtain a certificate from a certificate authority (CA) or generate a self-signed certificate for testing purposes.

Step 1: Generate SSL/TLS certificates

The first step is to generate SSL/TLS certificates for your Elasticsearch nodes. If you use self-signed certificates for testing, Elasticsearch's elasticsearch-certutil tool can simplify this process. For production environments, we recommend using certificates issued by a trusted CA.

Create a Certificate Authority (CA) – This step is critical as it allows you to sign your Elasticsearch certificates. Elasticsearch provides a tool called elasticsearch-certutil for this purpose.

./bin/elasticsearch-certutil ca

When prompted for the CA file name, press Enter to use the default or set a new name.

Generate SSL certificate for Elasticsearch - Using the CA you created, now generate a specific certificate for your Elasticsearch nodes.

./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

Replace elastic-stack-ca.p12 with the actual path where the CA certificate is stored. This command produces a.p12 (PKCS#12) file, which encapsulates the node certificate, private key, and CA certificate. You may need to generate specific certificates for each node in the cluster, depending on your configuration.

Step 2: Configure Elasticsearch to use SSL certificate

Once you have your SSL/TLS certificates, you need to configure Elasticsearch to use them. This involves editing the elasticsearch.yml configuration file on each cluster node.

Add the following configurations to elasticsearch.yml on each node: true true certificate required elastic-certificates.p12 elastic-certificates.p12 true elastic-certificates.p12 elastic-certificates.p12

Replace "elastic-certificates.p12" with the file name of the certificate you created in the previous step.

Step 3: Restart Elasticsearch

After configuring all nodes, restart the Elasticsearch cluster to apply the changes. Make sure the cluster starts without errors and that all nodes can communicate with each other via SSL/TLS.

Step 4: Check your SSL/TLS configuration

To verify that SSL/TLS is enabled and working properly, use a tool like curl to make a request to the Elasticsearch HTTP API:

curl -k https://localhost:9200

The -k option allows curl to connect without certificate verification, which is useful for initial testing with self-signed certificates. If everything is configured correctly, you should receive a JSON response from Elasticsearch.


Securing your Elasticsearch cluster with SSL/TLS is a critical step in protecting your data. By following the steps outlined in this guide, you can ensure that your data remains secure during transport, mitigating potential risks of data interception or tampering. Always remember to use trusted CA certificates for production environments to ensure the highest level of security and reliability.

Buy me a coffeeBuy me a coffee

Supportaci se ti piacciono i nostri contenuti. Grazie.

Successivamente, completa il checkout per l'accesso completo a
Bentornato! Accesso eseguito correttamente.
Ti sei abbonato con successo a
Successo! Il tuo account è completamente attivato, ora hai accesso a tutti i contenuti.
Operazione riuscita. Le tue informazioni di fatturazione sono state aggiornate.
La tua fatturazione non è stata aggiornata.