1.elasticsearch-certgen 方式
注意: 这种方式如果以后新增节点导致证书得重新生成并放到es所有节点
2.elasticsearch-certutil方式
##(1)创建证书 $ pwd /alidata1/admin/tools/elasticsearch-6.8.6 $ ./bin/elasticsearch-certutil ca --pem --out ca.zip --days 36500 -s ## 会生成ca.zip文件 $ unzip ca.zip $ openssl x509 -in ca/ca.crt -noout -dates ## 查看证书有效期 notBefore=Jun 9 02:15:46 2020 GMT notAfter=May 16 02:15:46 2120 GMT $ ./bin/elasticsearch-certutil cert --ca-cert ca/ca.crt --ca-key ca/ca.key --pem --name za-test --out za-test.zip --days 36500 -s ## 会生成za-test.zip文件 $ unzip za-test.zip $ openssl x509 -in za-test/za-test.crt -noout -dates ## 查看证书有效期 notBefore=Jun 9 02:24:27 2020 GMT notAfter=May 16 02:24:27 2120 GMT ##(2)将证书拷贝到对应目录 $ mkdir config/certs $ cp ca/* za-test/* config/certs ##(3)将新证书拷贝到集群所有机器 $ scp config/certs/* xxxx ##(3)修改配置 ... ## ssl xpack.security.transport.ssl.enabled: true xpack.security.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.key: certs/za-test.key xpack.security.transport.ssl.certificate: certs/za-test.crt xpack.security.transport.ssl.certificate_authorities: certs/ca.crt ... ##(4)生成账户密码 $ ./bin/elasticsearch-setup-passwords interactive ## 依次输入密码
标签:证书,##,ca,za,生成,--,elasticsearch,test From: https://www.cnblogs.com/Jeffrey1172417122/p/16718354.html