Elastic Stack 證書創建

1.創建CA證書

./bin/elasticsearch-certutil ca
# 默認文件名：elastic-stack-ca.p12

2.生成節點使用的證書

./bin/elasticsearch-certutil cert \
  --ca elastic-stack-ca.p12 \
  --dns localhost \
  --ip 127.0.0.1,::1 \
  --out config/certs/node-1.p12

# --ca為CA證書路徑名稱
# -dns為節點DNS
# --ip為節點ip
# --out為生成節點證書的路徑和名稱等，輸出文件是PKCS＃12密鑰庫，其中包括節點證書，節點密鑰和CA證書

# 或者使用命令 bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 效果跟上面這個一樣，生成一個p12結尾的證書

提取出pem證書

# elastic-certificates.p12為上一步節點證書
openssl pkcs12 -in elastic-certificates.p12 -cacerts -nokeys -out elastic-ca.pem

不知道是啥的證書

bin/elasticsearch-certutil ca --pem (elastic-stack-ca.zip) 
  inflating: ca/ca.crt
  inflating: ca/ca.key

批量生成證書

# 創建實例 yaml 文件
vi ~/tmp/cert_blog/instance.yml
# 將實例信息添加到 yml 文件
instances:
  - name: 'node1'
    dns: [ 'node1.elastic.test.com' ]
  - name: "node2"
    dns: [ 'node2.elastic.test.com' ]
  - name: 'my-kibana'
    dns: [ 'kibana.local' ]
  - name: 'logstash'
    dns: [ 'logstash.local' ]

# 生成 CA 和服務器證書
bin/elasticsearch-certutil cert ca --pem --in instance.yml --out certs.zip
# 會生成一個壓縮包，解壓后會有一個ca文件夾和各以name命令的文件夾，包含文件如下
cat instance.yml 
instances:
  - name: '192.168.75.20'
    dns: ['192.168.75.20']
  - name: '192.168.75.21'
    dns: ['192.168.75.21']
  - name: '192.168.75.22'
    dns: ['192.168.75.22']
  - name: '192.168.75.23'
    dns: ['192.168.75.23']  

bin/elasticsearch-certutil cert ca --pem --in instance.yml --out certs.zip
unzip certs.zip

tree ca/
ca/
└── ca.crt

 tree 192.168.75.2*
192.168.75.20
├── 192.168.75.20.crt
└── 192.168.75.20.key
192.168.75.21
├── 192.168.75.21.crt
└── 192.168.75.21.key
192.168.75.22
├── 192.168.75.22.crt
└── 192.168.75.22.key
192.168.75.23
├── 192.168.75.23.crt
└── 192.168.75.23.key

官方文檔證書生成

# cat instance.yml 
instances:
  - name: "node1" 
    ip: 
      - "192.0.2.1"
    dns: 
      - "node1.mydomain.com"
  - name: "node2"
    ip:
      - "192.0.2.2"
      - "198.51.100.1"
  - name: "node3"
  - name: "node4"
    dns:
      - "node4.mydomain.com"
      - "node4.internal"
  - name: "CN=node5,OU=IT,DC=mydomain,DC=com"
    filename: "node5"

bin/elasticsearch-certutil cert --silent --in instances.yml --out test1.zip --pass testpassword
unzip test1.zip
# tree node*
node1
└── node1.p12
node2
└── node2.p12
node3
└── node3.p12
node4
└── node4.p12
node5
└── node5.p12

bin/elasticsearch-certutil csr --silent --in instances.yml --out test2.zip --pass testpassword
unzip test2.zip
# tree node*
node1
├── node1.csr
└── node1.key
node2
├── node2.csr
└── node2.key
node3
├── node3.csr
└── node3.key
node4
├── node4.csr
└── node4.key
node5
├── node5.csr
└── node5.key

官方地址：https://www.elastic.co/guide/en/elasticsearch/reference/master/encrypting-communications-certificates.html
https://www.elastic.co/guide/en/elasticsearch/reference/7.5/certutil.html

分離p12(或pfx)文件中的證書和私鑰
p12(或者pfx)文件里一般存放有CA的根證書,用戶證書和用戶的私鑰

假設我們有一個test.p12文件,在安裝了openssl的linux服務器上執行以下命令:

提取用戶證書:

openssl pkcs12 -in test.p12 -clcerts -nokeys -out cert.pem  //pem格式
openssl pkcs12 -in test.p12 -clcerts -nokeys -out cert.crt  //crt格式

如果需要攜帶秘鑰,則去掉 -nokeys

openssl pkcs12 -in test.p12 -clcerts  -out cert.pem  //pem格式
openssl pkcs12 -in test.p12 -clcerts  -out cert.crt  //crt格式

提取私鑰:

openssl pkcs12 -in test.p12 -nocerts -out key.pem

清除秘鑰中的密碼(在把秘鑰部署到某些服務器上時可能需要清除密碼)

openssl rsa -in key.pem -out newkey.pem

在java中pkcs12 和jks的相互轉換:

# JKS → P12
keytool -importkeystore -srckeystore keystore.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore keystore.p12


# P12 → JKS
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore keystore.jks