Featured resource
2025 Tech Upskilling Playbook
Tech Upskilling Playbook

Build future-ready tech teams and hit key business milestones with seven proven plays from industry leaders.

Check it out
  • Lab
    • Libraries: If you want this lab, consider one of these libraries.
    • Cloud
Google Cloud Platform icon
Labs

Encrypt Cluster and Client Elasticsearch Networks

No matter what technology we are working with, we always need to be mindful of security. Big data platforms are certainly no exception, as they can contain massive amounts of sensitive data that must be protected. Elasticsearch provides multiple security mechanisms through X-Pack Security. In this hands-on lab, you will complete the following tasks on a 3-node Elasticsearch cluster: * Generate a certificate authority * Generate node certificates * Add certificate passwords to Elasticsearch's keystore * Enable cluster (transport) network encryption * Enable client (HTTP) network encryption * Set built-in user passwords

Google Cloud Platform icon
Lab platform
Lab Info
Level
Advanced
Last updated
Sep 04, 2025
Duration
1h 45m

Contact sales

By filling out this form and clicking submit, you acknowledge our privacy policy.
Table of Contents
  1. Challenge

    Generate a Certificate Authority (CA).
    1. Using the Secure Shell (SSH), log in to each node as cloud_user via the public IP address.

    2. Become the elastic user with:

    sudo su - elastic
    
    1. Create a certs directory on each node:
    mkdir /home/elastic/elasticsearch/config/certs
    
    1. On the master-1 node, create a CA certificate with password elastic_ca in the new certs directory:
    /home/elastic/elasticsearch/bin/elasticsearch-certutil ca --out config/certs/ca --pass elastic_ca
    
  2. Challenge

    Generate and deploy a certificate for each node per instructions.
    1. Using the Secure Shell (SSH), log in to the master-1 node as cloud_user via the public IP address.

    2. Become the elastic user with:

    sudo su - elastic
    
    1. On the master-1 node, generate each node's certificate with the CA per instructions:
    /home/elastic/elasticsearch/bin/elasticsearch-certutil cert --ca config/certs/ca --ca-pass elastic_ca --name master-1 --dns ip-10-1-101.ec2.internal --ip 10.0.1.101 --out config/certs/master-1 --pass elastic_master_1
    /home/elastic/elasticsearch/bin/elasticsearch-certutil cert --ca config/certs/ca --ca-pass elastic_ca --name master-2 --dns ip-10-1-102.ec2.internal --ip 10.0.1.102 --out config/certs/master-2 --pass elastic_master_2
    /home/elastic/elasticsearch/bin/elasticsearch-certutil cert --ca config/certs/ca --ca-pass elastic_ca --name master-3 --dns ip-10-1-103.ec2.internal --ip 10.0.1.103 --out config/certs/master-3 --pass elastic_master_3
    /home/elastic/elasticsearch/bin/elasticsearch-certutil cert --ca config/certs/ca --ca-pass elastic_ca --name data-1 --dns ip-10-1-104.ec2.internal --ip 10.0.1.104 --out config/certs/data-1 --pass elastic_data_1
    /home/elastic/elasticsearch/bin/elasticsearch-certutil cert --ca config/certs/ca --ca-pass elastic_ca --name data-2 --dns ip-10-1-105.ec2.internal --ip 10.0.1.105 --out config/certs/data-2 --pass elastic_data_2
    /home/elastic/elasticsearch/bin/elasticsearch-certutil cert --ca config/certs/ca --ca-pass elastic_ca --name data-3 --dns ip-10-1-106.ec2.internal --ip 10.0.1.106 --out config/certs/data-3 --pass elastic_data_3
    
    1. On the master-1 node, remote copy each certificate to the certs directory created on each node:
    scp /home/elastic/elasticsearch/config/certs/master-2 10.0.1.102:/home/elastic/elasticsearch/config/certs
    scp /home/elastic/elasticsearch/config/certs/master-3 10.0.1.103:/home/elastic/elasticsearch/config/certs
    scp /home/elastic/elasticsearch/config/certs/data-1 10.0.1.104:/home/elastic/elasticsearch/config/certs
    scp /home/elastic/elasticsearch/config/certs/data-2 10.0.1.105:/home/elastic/elasticsearch/config/certs
    scp /home/elastic/elasticsearch/config/certs/data-3 10.0.1.106:/home/elastic/elasticsearch/config/certs
    
    1. Add the transport keystore password on each node:
    echo "CERTIFICATE_PASSWORD_HERE" | /home/elastic/elasticsearch/bin/elasticsearch-keystore add --stdin xpack.security.transport.ssl.keystore.secure_password
    
    1. Add the transport truststore password on each node:
    echo "CERTIFICATE_PASSWORD_HERE" | /home/elastic/elasticsearch/bin/elasticsearch-keystore add --stdin xpack.security.transport.ssl.truststore.secure_password
    
    1. Add the HTTP keystore password on each node:
    echo "CERTIFICATE_PASSWORD_HERE" | /home/elastic/elasticsearch/bin/elasticsearch-keystore add --stdin xpack.security.http.ssl.keystore.secure_password
    
    1. Add the HTTP truststore password on each node:
    echo "CERTIFICATE_PASSWORD_HERE" | /home/elastic/elasticsearch/bin/elasticsearch-keystore add --stdin xpack.security.http.ssl.truststore.secure_password
    
  3. Challenge

    Configure transport network encryption and restart Elasticsearch.
    1. Using the Secure Shell (SSH), log in to each node as cloud_user via the public IP address.

    2. Become the elastic user with:

    sudo su - elastic
    
    1. Add the following to /home/elastic/elasticsearch/config/elasticsearch.yml on each node:
    #
    # ---------------------------------- X-Pack ------------------------------------
    #
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: full
    xpack.security.transport.ssl.keystore.path: certs/CERTIFICATE_FILE_NAME_HERE
    xpack.security.transport.ssl.truststore.path: certs/CERTIFICATE_FILE_NAME_HERE
    
    1. Stop Elasticsearch:
    pkill -F /home/elastic/elasticsearch/pid
    
    1. Start Elasticsearch as a background daemon and record the PID to a file:
    /home/elastic/elasticsearch/bin/elasticsearch -d -p pid
    
  4. Challenge

    Use the elasticsearch-setup-passwords tool to set the password for each built-in user.
    1. Using the Secure Shell (SSH), log in to the master-1 node as cloud_user via the public IP address.

    2. Become the elastic user with:

    sudo su - elastic
    
    1. Set the built-in user passwords using the elasticsearch-setup-passwords utility on the master-1 node:
    /home/elastic/elasticsearch/bin/elasticsearch-setup-passwords interactive
    
    1. Use the following passwords:
    User: elastic
    Password: la_elastic_409
    
    User: apm_system
    Password: la_apm_system_409
    
    User: kibana
    Password: la_kibana_409
    
    User: logstash_system
    Password: la_logstash_system_409
    
    User: beats_system
    Password: la_beats_system_409
    
    User: remote_monitoring_user
    Password: la_remote_monitoring_user_409
    
  5. Challenge

    Configure HTTP network encryption and restart Elasticsearch.
    1. Using the Secure Shell (SSH), log in to each node as cloud_user via the public IP address.

    2. Become the elastic user with:

    sudo su - elastic
    
    1. Add the following to /home/elastic/elasticsearch/config/elasticsearch.yml:
    xpack.security.http.ssl.enabled: true
    xpack.security.http.ssl.keystore.path: certs/CERTIFICATE_FILE_NAME_HERE
    xpack.security.http.ssl.truststore.path: certs/CERTIFICATE_FILE_NAME_HERE
    
    1. Stop Elasticsearch:
    pkill -F /home/elastic/elasticsearch/pid
    
    1. Start Elasticsearch as a background daemon and record the PID to a file:
    /home/elastic/elasticsearch/bin/elasticsearch -d -p pid
    
About the author

Pluralsight Skills gives leaders confidence they have the skills needed to execute technology strategy. Technology teams can benchmark expertise across roles, speed up release cycles and build reliable, secure products. By leveraging our expert content, skill assessments and one-of-a-kind analytics, keep up with the pace of change, put the right people on the right projects and boost productivity. It's the most effective path to developing tech skills at scale.

Real skill practice before real-world application

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Learn by doing

Engage hands-on with the tools and technologies you’re learning. You pick the skill, we provide the credentials and environment.

Follow your guide

All labs have detailed instructions and objectives, guiding you through the learning process and ensuring you understand every step.

Turn time into mastery

On average, you retain 75% more of your learning if you take time to practice. Hands-on labs set you up for success to make those skills stick.

Get started with Pluralsight