You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Transport connections between {{es}} nodes are security-critical and you must protect them carefully. Malicious actors who can observe or interfere with node-to-node transport traffic can read or modify cluster data. A malicious actor who can establish a transport connection might be able to invoke system-internal APIs, including APIs that read or modify cluster data.
3
3
4
-
If you choose to issue node transport certificates using third-party tools, then carefully review [](/deploy-manage/security/self-tls-considerations.md) to ensure that the certificates that you provide meet the security requirements for transport connections.
4
+
If you choose to issue node transport certificates using an external CA, then carefully review [](/deploy-manage/security/self-tls-considerations.md) to ensure that the certificates that you provide meet the security requirements for transport connections.
Copy file name to clipboardExpand all lines: deploy-manage/security/self-tls-considerations.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,10 +6,10 @@ applies_to:
6
6
eck:
7
7
products:
8
8
- id: elasticsearch
9
-
navigation_title: Private or 3P CA considerations
9
+
navigation_title: External CA considerations
10
10
---
11
11
12
-
# Considerations for using a private or third-party CA for transport layer security
12
+
# Considerations for using an external CA for transport layer security
13
13
14
14
By default, {{es}} uses mutual TLS (mTLS) to secure node-to-node transport connections. Mutual TLS means that data is encrypted in transit, ensuring confidentiality and integrity, and also that both nodes in a connection must present a valid certificate to the other node when establishing the connection. Each node requires that certificates be issued by a trusted certificate authority, ensuring that only authorized nodes can connect. Configure trusted certificate authorities using settings in the [`xpack.security.transport.ssl.*`](elasticsearch://reference/elasticsearch/configuration-reference/security-settings.md#transport-tls-ssl-settings) namespace, such as `xpack.security.transport.ssl.certificate_authorities` and `xpack.security.transport.ssl.truststore.path`.
15
15
@@ -19,7 +19,7 @@ By default, {{es}} uses mutual TLS (mTLS) to secure node-to-node transport conne
19
19
Transport connections between {{es}} nodes are security-critical and you must protect them carefully. Malicious actors who can observe or interfere with unencrypted node-to-node transport traffic can read or modify cluster data. A malicious actor who can establish a transport connection might be able to invoke system-internal APIs, including APIs that read or modify cluster data.
20
20
::::
21
21
22
-
## mTLS transport certificate requirements for private or third-party CAs
22
+
## mTLS transport certificate requirements for external CAs
23
23
24
24
Obtain your transport certificates from a certificate authority that only issues certificates to {{es}} nodes permitted to connect to your cluster. Do not use a public certificate authority or an organization-wide private certificate authority, because these issue certificates to entities beyond your authorized cluster nodes. Use a dedicated private certificate authority for each {{es}} cluster.
Copy file name to clipboardExpand all lines: deploy-manage/security/set-up-basic-security.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -41,7 +41,7 @@ For the transport layer, we recommend using a separate, dedicated CA instead of
41
41
When you manually set up transport TLS, you can choose from the following CA options:
42
42
43
43
*[Use the `elasticsearch-certutil` tool to generate a CA unique to your cluster](#generate-certificates) (recommended)
44
-
*[Provide certificates from a private or third-party CA](#private-3p)
44
+
*[Provide certificates from an external CA](#external-ca)
45
45
46
46
### Generate the certificate authority using `elasticsearch-certutil`[generate-certificates]
47
47
@@ -71,9 +71,9 @@ You can use the `elasticsearch-certutil` tool to generate a CA for your cluster.
71
71
The output file is a keystore named `elastic-certificates.p12`. This file contains a node certificate, node key, and CA certificate.
72
72
73
73
74
-
### Provide certificates from a private or third-party CA [private-3p]
74
+
### Provide certificates from an external CA [external-ca]
75
75
76
-
You might choose to use a private or third-party CA to generate transport certificates for node-to-node connections.
76
+
You might choose to use an external CA to generate transport certificates for node-to-node connections. An external CA is any CA that is not managed using `elasticsearch-certutil`.
77
77
78
78
Transport connections between {{es}} nodes are security-critical and you must protect them carefully. Malicious actors who can observe or interfere with unencrypted node-to-node transport traffic can read or modify cluster data. A malicious actor who can establish a transport connection might be able to invoke system-internal APIs, including APIs that read or modify cluster data.
79
79
@@ -86,7 +86,7 @@ The transport networking layer is used for internal communication between nodes
86
86
87
87
Now that you’ve obtained your certificates, you’ll update your cluster to use these files.
88
88
89
-
These steps assume that you [generated a CA and certificates](#generate-certificates) using `elasticsearch-certutil`. The `xpack.security.transport.ssl` settings that you need to set differ if you're using a certificate generated with a private or third-party CA. Refer to [Transport TLS/SSL settings](elasticsearch://reference/elasticsearch/configuration-reference/security-settings.md#transport-tls-ssl-settings) full list of available settings.
89
+
These steps assume that you [generated a CA and certificates](#generate-certificates) using `elasticsearch-certutil`. The `xpack.security.transport.ssl` settings that you need to set differ if you're using a certificate generated with an external CA. Refer to [Transport TLS/SSL settings](elasticsearch://reference/elasticsearch/configuration-reference/security-settings.md#transport-tls-ssl-settings) full list of available settings.
90
90
91
91
::::{note}
92
92
{{es}} monitors all files such as certificates, keys, keystores, or truststores that are configured as values of TLS-related node settings. If you update any of these files, such as when your hostnames change or your certificates are due to expire, {{es}} reloads them. The files are polled for changes at a frequency determined by the global {{es}} `resource.reload.interval.high` setting, which defaults to 5 seconds.
0 commit comments