Generate certificates

    You can probably find OpenSSL in the package manager for your operating system.

    On CentOS, use Yum:

    On macOS, use Homebrew:

      The first step in this process is to generate a private key using the genrsa command. As the name suggests, you should keep this file private.

      Private keys must be of sufficient length to be secure, so specify 2048:

      1. openssl genrsa -out root-ca-key.pem 2048

      You can optionally add the -aes256 option to encrypt the key using the AES-256 standard. This option requires a password.

      Generate a root certificate

      Next, use the key to generate a self-signed certificate for the root CA:

      1. openssl req -new -x509 -sha256 -key root-ca-key.pem -out root-ca.pem -days 730

      The default -days value of 30 is only useful for testing purposes. This sample command specifies 730 (two years) for the certificate expiration date, but use whatever value makes sense for your organization.

      • The -x509 option specifies that you want a self-signed certificate rather than a certificate request.
      • The -sha256 option sets the hash algorithm to SHA-256. SHA-256 is the default in later versions of OpenSSL, but earlier versions might use SHA-1.

      Generate an admin certificate

      To generate an admin certificate, first create a new key:

      Then convert that key to PKCS#8 format for use in Java using a PKCS#12-compatible algorithm (3DES):

      1. openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem

      Next, create a certificate signing request (CSR). This file acts as an application to a CA for a signed certificate:

      1. openssl req -new -key admin-key.pem -out admin.csr

      Follow the prompts to fill in the details. You don’t need to specify a challenge password. As noted in the , “Having a challenge password does not increase the security of the CSR in any way.”

      Finally, generate the certificate itself:

      1. openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 730

      Just like the root certificate, use the option to specify an expiration date of longer than 30 days.

      Follow the steps in Generate an admin certificate with new file names to generate a new certificate for each node and as many client certificates as you need. For example, you might generate one client certificate for OpenSearch Dashboards and another for a Python client. Each certificate should use its own private key.

      If you generate node certificates and have plugins.security.ssl.transport.enforce_hostname_verification set to true (default), be sure to specify a common name (CN) for the certificate that matches the hostname of the intended node. If you want to use the same node certificate on all nodes (not recommended), set hostname verification to false. For more information, see .

      Sample script

      Add distinguished names to opensearch.yml

      You must specify the distinguished names (DNs) for all admin and node certificates in opensearch.yml on all nodes. Using the certificates from the sample script above, part of opensearch.yml might look like this:

      1. plugins.security.authcz.admin_dn:
      2.   - 'CN=ADMIN,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'
      3.   - 'CN=node1.example.com,OU=UNIT,O=ORG,L=TORONTO,ST=ONTARIO,C=CA'

      But if you look at the subject of the certificate after creating it, you might see different formatting:

      1. subject=/C=CA/ST=ONTARIO/L=TORONTO/O=ORG/OU=UNIT/CN=node1.example.com

      If you compare this string to the ones above, you can see that you need to invert the order of elements and use commas rather than slashes. Enter this command to get the correct string:

      1. openssl x509 -subject -nameopt RFC2253 -noout -in node.pem

      Then copy and paste the output into opensearch.yml.

      This process generates many files, but these are the ones you need to add to each node:

      • root-ca.pem
      • admin.pem
      • admin-key.pem
      • (Optional) node1.pem
      • (Optional) node1-key.pem

      On one node, the security configuration portion of opensearch.yml might look like this:

      For more information about adding and using these certificates in your own setup, see Docker security configuration, , and Client certificate authentication.

      Run securityadmin.sh

      After configuring your certificates and starting OpenSearch, run securityadmin.sh to initialize the security plugin. For information about how to use this script, see Apply configuration changes.

      OpenSearch Dashboards