地址:https://www.elastic.co/guide/en/elasticsearch/reference/7.5/certutil.html
- 語法:
bin/elasticsearch-certutil
(
(ca [--ca-dn <name>] [--days <n>] [--pem])
| (cert ([--ca <file_path>] | [--ca-cert <file_path> --ca-key <file_path>])
[--ca-dn <name>] [--ca-pass <password>] [--days <n>]
[--dns <domain_name>] [--in <input_file>] [--ip <ip_addresses>]
[--keep-ca-key] [--multiple] [--name <file_name>] [--pem])
| (csr [--dns <domain_name>] [--in <input_file>] [--ip <ip_addresses>]
[--name <file_name>])
[-E <KeyValuePair>] [--keysize <bits>] [--out <file_path>]
[--pass <password>]
)
[-h, --help] ([-s, --silent] | [-v, --verbose])
語法解析:
elasticsearch-certutil命令后跟三種不同的模式,每種模式都有不同的參數選項
這三種模式分別是:CA模式,CERT模式和CSR模式.
可以指定下列模式之一:ca,cert,csr。該 elasticsearch-certutil命令還支持靜默操作模式,以使批處理操作更容易。
- 模式
Descriptionedit
You can specify one of the following modes: ca, cert, csr. The elasticsearch-certutil command also supports a silent mode of operation to enable easier batch operations.
CA modeedit
The ca mode generates a new certificate authority (CA). By default, it produces a single PKCS#12 output file, which holds the CA certificate and the private key for the CA. If you specify the --pem parameter, the command generates a zip file, which contains the certificate and private key in PEM format.
You can subsequently use these files as input for the cert mode of the command.
CERT modeedit
The cert mode generates X.509 certificates and private keys. By default, it produces a single certificate and key for use on a single instance.
To generate certificates and keys for multiple instances, specify the --multiple parameter, which prompts you for details about each instance. Alternatively, you can use the --in parameter to specify a YAML file that contains details about the instances.
An instance is any piece of the Elastic Stack that requires a TLS or SSL certificate. Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats might all require a certificate and private key. The minimum required information for an instance is its name, which is used as the common name for the certificate. The instance name can be a hostname value or a full distinguished name. If the instance name would result in an invalid file or directory name, you must also specify a file name in the --name command parameter or in the filename field in an input YAML file.
You can optionally provide IP addresses or DNS names for each instance. If neither IP addresses nor DNS names are specified, the Elastic stack products cannot perform hostname verification and you might need to configure the verification_mode security setting to certificate only. For more information about this setting, see Security settings.
All certificates that are generated by this command are signed by a CA. You can provide your own CA with the --ca or --ca-cert parameters. Otherwise, the command automatically generates a new CA for you. For more information about generating a CA, see the CA mode of this command.
By default, the cert mode produces a single PKCS#12 output file which holds the instance certificate, the instance private key, and the CA certificate. If you specify the --pem parameter, the command generates PEM formatted certificates and keys and packages them into a zip file. If you specify the --keep-ca-key, --multiple or --in parameters, the command produces a zip file containing the generated certificates and keys.
CSR modeedit
The csr mode generates certificate signing requests (CSRs) that you can send to a trusted certificate authority to obtain signed certificates. The signed certificates must be in PEM or PKCS#12 format to work with Elasticsearch security features.
By default, the command produces a single CSR for a single instance.
To generate CSRs for multiple instances, specify the --multiple parameter, which prompts you for details about each instance. Alternatively, you can use the --in parameter to specify a YAML file that contains details about the instances.
The csr mode produces a single zip file which contains the CSRs and the private keys for each instance. Each CSR is provided as a standard PEM encoding of a PKCS#10 CSR. Each key is provided as a PEM encoding of an RSA private key.
三種模式說明
CA模式說明:
該ca模式將生成一個新的證書頒發機構(CA)。默認情況下,它會生成一個PKCS#12輸出文件,其中包含CA證書和CA的私鑰。如果指定--pem參數,該命令將生成一個zip文件,其中包含PEM格式的證書和私鑰。
隨后,您可以將這些文件用作cert命令模式的輸入。
CERT模式說明:
該cert模式生成X.509證書和私鑰。默認情況下,它會生成單個證書和密鑰,以用於單個實例。
要為多個實例生成證書和密鑰,請指定 --multiple參數,該參數會提示您有關每個實例的詳細信息。或者,您可以使用--in參數指定一個YAML文件,其中包含有關實例的詳細信息。
實例是需要TLS或SSL證書的彈性堆棧的任何部分。根據您的配置,Elasticsearch,Logstash,Kibana和Beats可能都需要證書和私鑰。實例所需的最少信息是其名稱,該名稱用作證書的通用名稱。實例名稱可以是主機名值或完整的專有名稱。如果實例名稱將導致無效的文件或目錄名稱,則還必須在--name命令參數或filename輸入YAML文件的字段中指定文件名。
您可以選擇為每個實例提供IP地址或DNS名稱。如果既未指定IP地址也未指定DNS名稱,則Elastic stack產品無法執行主機名驗證,您可能需要將verification_mode安全性設置配置 為certificateonly。有關此設置的更多信息,請參閱“ 安全性設置”。
該命令生成的所有證書均由CA簽名。您可以為自己的CA提供--ca或--ca-cert參數。否則,該命令會自動為您生成一個新的CA。有關生成CA的更多信息,請參閱此命令的CA模式。
默認情況下,該cert模式會生成一個包含實例證書,實例私鑰和CA證書的PKCS#12輸出文件。如果指定--pem參數,該命令將生成PEM格式的證書和密鑰,並將其打包為zip文件。如果指定了--keep-ca-key,--multiple或--in參數,所述命令生成包含所生成的證書和密鑰的zip文件。
CSR模式說明:
該csr模式生成證書簽名請求(CSR),您可以將其發送給受信任的證書頒發機構以獲取簽名的證書。簽名證書必須為PEM或PKCS#12格式,才能與Elasticsearch安全功能一起使用。
默認情況下,該命令為單個實例生成單個CSR。
要為多個實例生成CSR,請指定--multiple參數,該參數會提示您有關每個實例的詳細信息。或者,您可以使用--in參數指定一個YAML文件,其中包含有關實例的詳細信息。
該csr模式將生成一個單個zip文件,其中包含每個實例的CSR和私鑰。提供每個CSR作為PKCS#10 CSR的標准PEM編碼。每個密鑰均作為RSA私鑰的PEM編碼提供。
- 參數詳解:
ca
Specifies to generate a new local certificate authority (CA). This parameter cannot be used with the csr or cert parameters.
cert
Specifies to generate new X.509 certificates and keys. This parameter cannot be used with the csr or ca parameters.
csr
Specifies to generate certificate signing requests. This parameter cannot be used with the ca or cert parameters.
--ca <file_path>
Specifies the path to an existing CA key pair (in PKCS#12 format). This parameter cannot be used with the ca or csr parameters.
--ca-cert <file_path>
Specifies the path to an existing CA certificate (in PEM format). You must also specify the --ca-key parameter. The --ca-cert parameter cannot be used with the ca or csr parameters.
--ca-dn <name>
Defines the Distinguished Name (DN) that is used for the generated CA certificate. The default value is CN=Elastic Certificate Tool Autogenerated CA. This parameter cannot be used with the csr parameter.
--ca-key <file_path>
Specifies the path to an existing CA private key (in PEM format). You must also specify the --ca-cert parameter. The --ca-key parameter cannot be used with the ca or csr parameters.
--ca-pass <password>
Specifies the password for an existing CA private key or the generated CA private key. This parameter cannot be used with the ca or csr parameters.
--days <n>
Specifies an integer value that represents the number of days the generated certificates are valid. The default value is 1095. This parameter cannot be used with the csr parameter.
--dns <domain_name>
Specifies a comma-separated list of DNS names. This parameter cannot be used with the ca parameter.
-E <KeyValuePair>
Configures a setting.
-h, --help
Returns all of the command parameters.
--in <input_file>
Specifies the file that is used to run in silent mode. The input file must be a YAML file. This parameter cannot be used with the ca parameter.
--ip <IP_addresses>
Specifies a comma-separated list of IP addresses. This parameter cannot be used with the ca parameter.
--keep-ca-key
When running in cert mode with an automatically-generated CA, specifies to retain the CA private key for future use.
--keysize <bits>
Defines the number of bits that are used in generated RSA keys. The default value is 2048.
--multiple
Specifies to generate files for multiple instances. This parameter cannot be used with the ca parameter.
--name <file_name>
Specifies the name of the generated certificate. This parameter cannot be used with the ca parameter.
--out <file_path>
Specifies a path for the output files.
--pass <password>
Specifies the password for the generated private keys.
Keys stored in PKCS#12 format are always password protected, however, this password may be blank. If you want to specify a blank password without a prompt, use --pass "" (with no =) on the command line.
Keys stored in PEM format are password protected only if the --pass parameter is specified. If you do not supply an argument for the --pass parameter, you are prompted for a password. Encrypted PEM files do not support blank passwords (if you do not wish to password-protect your PEM keys, then do not specify --pass).
--pem
Generates certificates and keys in PEM format instead of PKCS#12. This parameter cannot be used with the csr parameter.
-s, --silent
Shows minimal output.
-v, --verbose
Shows verbose output.
參數翻譯:
ca 指定生成新的本地證書頒發機構(CA)。此參數不能與csr或cert參數一起使用。
cert 指定生成新的X.509證書和密鑰。此參數不能與csr或ca參數一起使用。
csr 指定生成證書簽名請求。此參數不能與ca或cert參數一起使用。
--ca <file_path> 指定到現有CA密鑰對的路徑(采用PKCS#12格式)。此參數不能與ca或csr參數一起使用。
--ca-cert <file_path> 指定現有CA證書的路徑(PEM格式)。您還必須指定--ca-key參數。該--ca-cert 參數不能與ca或csr參數一起使用。
--ca-dn <name> 定義用於生成的CA證書的專有名稱(DN)。默認值為 CN=Elastic Certificate Tool Autogenerated CA。該參數不能與csr參數一起使用。
--ca-key <file_path> 指定現有CA私鑰的路徑(PEM格式)。您還必須指定--ca-cert參數。該--ca-key 參數不能與ca或csr參數一起使用。
--ca-pass <password> 指定現有CA私鑰或生成的CA私鑰的密碼。此參數不能與ca或 csr參數一起使用。
--days <n> 指定一個整數值,該整數值表示生成的證書有效的天數。默認值為1095。該參數不能與csr參數一起使用。
--dns <domain_name> 指定逗號分隔的DNS名稱列表。該參數不能與ca參數一起使用。
-E <KeyValuePair> 配置設置。
-h, --help 返回所有命令參數。
--in <input_file> 指定用於以靜默方式運行的文件。輸入文件必須是YAML文件。該參數不能與ca 參數一起使用。
--ip <IP_addresses> 指定逗號分隔的IP地址列表。該參數不能與ca參數一起使用。
--keep-ca-key 在cert具有自動生成的CA的模式下運行時,指定保留CA私鑰以備將來使用。
--keysize <bits> 定義在生成的RSA密鑰中使用的位數。默認值為2048。
--multiple 指定為多個實例生成文件。該參數不能與ca參數一起使用。
--name <file_name> 指定生成的證書的名稱。該參數不能與ca參數一起使用。
--out <file_path> 指定輸出文件的路徑。
--pass <password> 指定生成的私鑰的密碼。 以PKCS#12格式存儲的密鑰始終受密碼保護,但是此密碼可能為空。如果要在沒有提示的情況下指定空白密碼,請在命令行上使用--pass ""(不帶=)。
僅在--pass指定參數的情況下,以PEM格式存儲的密鑰才受密碼保護 。如果不為參數提供 --pass參數,則提示您輸入密碼。加密的PEM文件不支持空白密碼(如果您不希望使用密碼保護PEM密鑰,則不要指定 --pass)。
--pem 以PEM格式而不是PKCS#12生成證書和密鑰。該參數不能與csr參數一起使用。
-s, --silent 顯示最少的輸出。
-v, --verbose 顯示詳細輸出。
- 舉例:
The following command generates a CA certificate and private key in PKCS#12 format:
bin/elasticsearch-certutil ca
You are prompted for an output filename and a password. Alternatively, you can specify the --out and --pass parameters.
You can then generate X.509 certificates and private keys by using the new CA. For example:
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
You are prompted for the CA password and for an output filename and password. Alternatively, you can specify the --ca-pass, --out, and --pass parameters.
By default, this command generates a file called elastic-certificates.p12, which you can copy to the relevant configuration directory for each Elastic product that you want to configure. For more information, see Setting up TLS on a cluster.
Using elasticsearch-certutil in Silent Modeedit
To use the silent mode of operation, you must create a YAML file that contains information about the instances. It must match the following format:
instances:
- name: "node1"
ip:
- "192.0.2.1"
dns:
- "node1.mydomain.com"
- name: "node2"
ip:
- "192.0.2.2"
- "198.51.100.1"
- name: "node3"
- name: "node4"
dns:
- "node4.mydomain.com"
- "node4.internal"
- name: "CN=node5,OU=IT,DC=mydomain,DC=com"
filename: "node5"
The name of the instance. This can be a simple string value or can be a Distinguished Name (DN). This is the only required field.
An optional array of strings that represent IP Addresses for this instance. Both IPv4 and IPv6 values are allowed. The values are added as Subject Alternative Names.
An optional array of strings that represent DNS names for this instance. The values are added as Subject Alternative Names.
The filename to use for this instance. This name is used as the name of the directory that contains the instance’s files in the output. It is also used in the names of the files within the directory. This filename should not have an extension. Note: If the name provided for the instance does not represent a valid filename, then the filename field must be present.
When your YAML file is ready, you can use the elasticsearch-certutil command to generate certificates or certificate signing requests. Simply use the --in parameter to specify the location of the file. For example:
bin/elasticsearch-certutil cert --silent --in instances.yml --out test1.zip --pass testpassword
This command generates a compressed test1.zip file. After you decompress the output file, there is a directory for each instance that was listed in the instances.yml file. Each instance directory contains a single PKCS#12 (.p12) file, which contains the instance certificate, instance private key, and CA certificate.
You an also use the YAML file to generate certificate signing requests. For example:
bin/elasticsearch-certutil csr --silent --in instances.yml --out test2.zip --pass testpassword
This command generates a compressed file, which contains a directory for each instance. Each instance directory contains a certificate signing request (*.csr file) and private key (*.key file).
舉例說明:
以下命令生成PKCS#12格式的CA證書和私鑰:
bin/elasticsearch-certutil ca
提示您輸入輸出文件名和密碼。或者,您可以指定--out和--pass參數。
然后,您可以使用新的CA生成X.509證書和私鑰。例如:
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
提示您輸入CA密碼以及輸出文件名和密碼。或者,您可以指定--ca-pass,--out和--pass參數。
默認情況下,此命令生成一個名為的文件elastic-certificates.p12,您可以將其復制到要配置的每個Elastic產品的相關配置目錄中。有關更多信息,請參閱 在群集上設置TLS。
elasticsearch-certutil在靜默模式下使用編輯
要使用靜默操作模式,必須創建一個包含有關實例信息的YAML文件。它必須與以下格式匹配:
instances:
- name: "node1"
ip:
- "192.0.2.1"
dns:
- "node1.mydomain.com"
- name: "node2"
ip:
- "192.0.2.2"
- "198.51.100.1"
- name: "node3"
- name: "node4"
dns:
- "node4.mydomain.com"
- "node4.internal"
- name: "CN=node5,OU=IT,DC=mydomain,DC=com"
filename: "node5"
實例的名稱。這可以是一個簡單的字符串值,也可以是一個專有名稱(DN)。這是唯一必填字段。
代表此實例的IP地址的字符串的可選數組。IPv4和IPv6值均允許。這些值將作為主題備用名稱添加。
代表此實例的DNS名稱的可選字符串數組。這些值將作為主題備用名稱添加。
用於此實例的文件名。該名稱用作在輸出中包含實例文件的目錄的名稱。它也用在目錄中文件的名稱中。該文件名不應具有擴展名。注意:如果name為實例提供的名稱不代表有效的文件名,則該filename字段必須存在。
准備好您的YAML文件后,您可以使用該elasticsearch-certutil命令生成證書或證書簽名請求。只需使用--in 參數來指定文件的位置。例如:
bin/elasticsearch-certutil cert --silent --in instances.yml --out test1.zip --pass testpassword
該命令生成一個壓縮test1.zip文件。解壓縮輸出文件后,文件中列出的每個實例都有一個目錄 instances.yml。每個實例目錄都包含一個PKCS#12(.p12)文件,該文件包含實例證書,實例私鑰和CA證書。
您還可以使用YAML文件生成證書簽名請求。例如:
bin/elasticsearch-certutil csr --silent --in instances.yml --out test2.zip --pass testpassword
此命令生成一個壓縮文件,其中包含每個實例的目錄。每個實例目錄都包含一個證書簽名請求(.csr文件)和私鑰(.key文件)。