Overview
SSL/TLS certificates provide secure communication between the nodes in the cluster. In this guide, we will go through the steps to create Certificate Authority (CA) and SSL/TLS certificates using OpenSSL for OpenSearch clusters.
Prerequisites
Before we start, users need the following:
- OpenSSL installed on their local system.
Steps to Create SSL Certificates for OMC on Kubernetes
Step 1: Create a New CA (optional)
If users do not have a CA or wish to use a new one, they can create a new one using the following commands:
openssl genrsa -out ca.key 2048
openssl req -new -x509 -key ca.key -out ca.crt -days 365
This will create a new CA that’s valid for 1 year. Users can adjust the expiration date by changing the 365 value.
Step 2: Generate a private key
Generate a private key for the OpenSearch node using the following command:
openssl genrsa -out tls.key 2048
Step 3: Generate a Certificate Signing Request (CSR)
Generate a CSR for the OpenSearch node using the following command:
openssl req -new -key tls.key -out opensearch.csr
Step 4: Sign the CSR with the CA
Sign the CSR with the CA using the following command:
openssl x509 -req -in opensearch.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out tls.crt -days 365
This will create a certificate for the OpenSearch node signed by the CA, which is valid for 1 year. Users can adjust the expiration date by changing the 365 value.
Step 5: Create a Kubernetes Secret
To use the SSL/TLS certificate in the OMC, create a Kubernetes Secret. To do so, run the following command:
kubectl create secret generic opensearch-ssl --from-file=tls.key --from-file=tls.crt --from-file=ca.crt
This will create a Kubernetes Secret named opensearch-ssl that contains
Step 5: Provide your own certificate to the OMC
Under the Security section, find the “Client Connection To Cluster”, place it to “Use existing certificate secret”, and under “Secret filed”, choose the secret that was just created.
