elasticsearch-certutil 命令

常用示例

说明

elasticsearch-certutil generates certificates and certificate authorities for securing Elasticsearch clusters. It simplifies the certificate management process by automating the creation of self-signed certificates, certificate authorities, and certificate signing requests. The tool is essential for enabling TLS/SSL encryption on both the transport layer (node-to-node communication) and the HTTP layer (client API access). It generates certificates in PKCS#12 or PEM format and can include multiple DNS names and IP addresses for cluster deployments. elasticsearch-certutil streamlines security configuration required for production Elasticsearch deployments and enables features like Elastic Stack security.

参数

--ca _file_

Path to existing CA in PKCS#12 format (cert mode).

--ca-cert _file_

Path to CA certificate in PEM format.

--ca-key _file_

Path to CA private key in PEM format.

--ca-pass _password_

Password for the CA private key.

--out _file_

Output file path.

--pem

Output in PEM format instead of PKCS#12.

--dns _names_

Comma-separated list of DNS names for the certificate.

--ip _addresses_

Comma-separated list of IP addresses for the certificate.

--name _name_

Filename (without extension) for generated certificate.

--pass _password_

Password for the generated private key.

--days _n_

Certificate validity period in days (default: 1095).

--keysize _bits_

RSA key size in bits (default: 2048).

--multiple

Generate certificates for multiple instances.

--in _file_

YAML file describing instances to generate certificates for.

--self-signed

Create a self-signed certificate (cert mode).

-s, --silent

Minimal output.

-v, --verbose

Verbose output.