root
/
elasticsearch
mirror of https://github.com/elastic/elasticsearch.git
1
0
Fork 0
Code Issues Actions 1 Packages Projects Releases Wiki Activity
elasticsearch/docs/reference/setup/install/connect-clients.asciidoc

50 lines
2.1 KiB
Plaintext
Raw Blame History

==== Connect clients to {es}
When you start {es} for the first time, TLS is configured automatically for the
HTTP layer. A CA certificate is generated and stored on disk, and the hex-coded
SHA-256 fingerprint of this certificate is also output to the terminal. Any
clients that connect to {es}, such as the
https://www.elastic.co/guide/en/elasticsearch/client/index.html[{es} Clients],
{beats}, {ls}, and {fleet} must validate that they trust the certificate that
{es} uses for HTTPS. Clients can establish trust by using either the fingerprint
of the CA certificate or the CA certificate itself.
If the auto-configuration process already completed, you can still obtain the
fingerprint of the security certificate. You can also copy the CA certificate
to your machine and configure your client to use it.
[discrete]
===== Use the CA fingerprint
Copy the fingerprint value that's output to your terminal when {es} starts, and
configure your client to use this fingerprint to establish trust when it
connects to {es}.
If the auto-configuration process already completed, you can still obtain the
fingerprint of the security certificate by running the following command. The
path is to the auto-generated CA certificate for the HTTP layer.
[source,sh]
----
openssl x509 -fingerprint -sha256 -in config/tls_auto_config_<timestamp>/http_ca.crt
----
`<timestamp>`:: The timestamp of when the auto-configuration process created the security files directory.
The command returns the security certificate, including the fingerprint.
The `issuer` should be `Elasticsearch security auto-configuration HTTP CA`.
[source,sh]
----
issuer= /CN=Elasticsearch security auto-configuration HTTP CA
SHA256 Fingerprint=<fingerprint>
----
[discrete]
===== Use the CA certificate
If your library doesn't support a method of validating the fingerprint, the
auto-generated CA certificate is created in the
`config/tls_auto_config_<timestamp>` directory on each {es} node. Copy the
`http_ca.crt` file to your machine and configure your client to use this
certificate to establish trust when it connects to {es}.
Reference in New Issue View Git Blame Copy Permalink