Q1: Can certificates generated by elasticsearch-certutil be used in production? #

Absolutely—elasticsearch-certutil is fully suitable for production environments, but you need to use it strategically based on your setup:

• By default, the tool generates self-signed certificates. These work perfectly for internal, closed networks where you control all clients and nodes. You just need to distribute the CA certificate to all trusted parties to avoid validation errors.
• For public-facing services or environments requiring third-party trust, you can use elasticsearch-certutil to generate a Certificate Signing Request (CSR) and get it signed by a public CA. Alternatively, create your own internal CA first with the tool, then sign node certificates using that CA—this ensures a proper chain of trust across your cluster.
• Key production best practices:
  • Always include all relevant Subject Alternative Names (SANs) (hostnames, IP addresses) for every node in your cluster and any client that needs to connect.
  • Store certificates and keys securely, and enforce strict file permissions (like the chown -R 1000:0 /certs step in your command does).
  • Rotate certificates periodically as part of your routine security maintenance.

Q2: I followed the official guide to generate certificates, but can only connect via localhost over HTTPS—Is this expected? #

No, this isn't a fixed limitation—it's almost certainly an issue with your instances.yml configuration.

The command you're running uses --in config/certificates/instances.yml to define the details embedded in the certificate. If your default instances.yml only lists localhost and 127.0.0.1 as DNS/IP entries, the resulting certificate will only be valid for connections to those addresses. When you try to connect from another host, the client will reject the certificate because the target hostname/IP isn't listed in the certificate's SANs.

To fix this:

1. Update your instances.yml to include all hostnames and IPs that clients or other nodes will use to connect to Elasticsearch. For example:

   instances:
     - name: "elasticsearch-node-1"
       dns: ["elasticsearch", "your-server-hostname", "localhost", "your-domain.com"]
       ip: ["127.0.0.1", "192.168.1.100", "your-public-ip"]
   

2. Re-run the certificate generation command to create a new bundle with these SANs included.
3. Replace the old certificates in your /certs directory and restart your Elasticsearch nodes.

Once you do this, you'll be able to connect from any host whose address is listed in the certificate's SANs.

内容的提问来源于stack exchange，提问作者eugene