Certificates creation and deployment

129 views

Skip to first unread message

ismailctest C

unread,

Aug 31, 2023, 1:18:58 AM8/31/23

to Wazuh | Mailing List

Hi Team,

We are planning to configure wazuh distributed-deployment in 2 new servers with IP 10.1.1.1 & 10.1.1.2.

Once the installation is completed & all the services are up, we need to assign new IPs for these servers (Eg: 172.1.1.1 & 172.1.1.2) & which should support existing certificates.

So, We need to create a certificate with 2 IPs for each service. How to create a certificate with multiple IPs ?

https://documentation.wazuh.com/current/deployment-options/elastic-stack/distributed-deployment/elasticsearch-cluster/elasticsearch-single-node-cluster.html#certificates-creation-and-deployment

Thanks,

Md. Nazmur Sakib

unread,

Aug 31, 2023, 4:09:47 AM8/31/23

to Wazuh | Mailing List

Hi Ismailctest C,

Hope you are doing well. Thank you for using Wazuh.

If you use the Wazuh server, the Wazuh indexer, and the Wazuh dashboard department.

Take a look at this section of the documentation:

Certificates deployment

You should have a rootCA certificate that was generated along with the others during the Wazuh installation. It can be used when adding a new node to create its certificates. Just remember to use the same rootCA pem and key that it was used for the other nodes:

bash wazuh-certs-tool.sh -A /path/to/root-ca.pem /path/to/root-ca.key

This is explained in more detail in the link I shared above. Basically, you would need to modify your config.yml to add the new nodes and then run this tool while using the rootCA that you already have. This way, you won’t need to re-generate and re-deploy all your certificates, just do it for the new nodes.

If you are using Wazuh with Elasticsearch multi-node cluster:

First, try this:

If you have previous certificate files copy those certificates and place those in the new nodes.

If this gives an error. Generate new certificates following the guidelines.

I will request you to keep a backup of your previous certificate. So that in case you run into an error you can roll back to the previous stage.

Edit or create this

vi /usr/share/elasticsearch/instances.yml file and the following lines.

instances:

- name: "elasticsearch-1"

ip:

- "10.0.0.2"

- name: "elasticsearch-2"

ip:

- "10.0.0.3"

- name: "elasticsearch-3"

ip:

- "10.0.0.4"

- name: "elasticsearch-5"

ip:

- "10.0.0.5"

- name: "filebeat-1"

ip:

- "10.0.0.5"

- name: "filebeat-2"

ip:

- "10.0.0.6"

- name: "kibana"

ip:

- "10.0.0.7"

Change the name and ip based on your need.

Create the certificates using the elasticsearch-certutil tool:

/usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in instances.yml --keep-ca-key --out ~/certs.zip

After generating copy the cert.zip file to every node. You can use the scp command for this.

For nodes where elastic search is installed:

The next step is to create the directory /etc/elasticsearch/certs, and then copy the CA file, the certificate and the key there.

CA file, the certificate and the key there. The X (Ex: 1,2,3)must be replaced according to the defined data in instances.yml file:

# unzip ~/certs.zip -d ~/certs

# mkdir /etc/elasticsearch/certs/ca -p

# cp -R ~/certs/ca/ ~/certs/elasticsearch-x/* /etc/elasticsearch/certs/

# mv /etc/elasticsearch/certs/elasticsearch-x.crt /etc/elasticsearch/certs/elasticsearch.crt

# mv /etc/elasticsearch/certs/elasticsearch-x.key /etc/elasticsearch/certs/elasticsearch.key

# chown -R elasticsearch: /etc/elasticsearch/certs

# chmod -R 500 /etc/elasticsearch/certs

# chmod 400 /etc/elasticsearch/certs/ca/ca.* /etc/elasticsearch/certs/elasticsearch.*

For nodes where filebeat is installed:

In section Elasticsearch, the certs.zip file was created. The file must be copied into the Wazuh server host, for example, using scp. This guide assumes that the file is placed in ~/ (home user folder).

The X must be replaced with the number defined for this Wazuh server in the instances.yml file:

# mkdir /etc/filebeat/certs/ca -p

# zip -d ~/certs.zip "ca/ca.key"

# unzip ~/certs.zip -d ~/certs

# cp -R ~/certs/ca/ ~/certs/filebeat-X/* /etc/filebeat/certs/

# mv /etc/filebeat/certs/filebeat-X.crt /etc/filebeat/certs/filebeat.crt

# mv /etc/filebeat/certs/filebeat-X.key /etc/filebeat/certs/filebeat.key

# chmod -R 500 /etc/filebeat/certs

# chmod 400 /etc/filebeat/certs/ca/ca.* /etc/filebeat/certs/filebeat.*

For nodes where Kibana is installed:

The next step is the certificate placement, this guide assumes that a copy of certs.zip is placed in the root home folder (~/):

# unzip ~/certs.zip -d ~/certs

# rm -f ~/certs/ca/ca.key

# mkdir /etc/kibana/certs/ca -p

# cp ~/certs/ca/ca.crt /etc/kibana/certs/ca

# cp ~/certs/kibana/* /etc/kibana/certs/

# chown -R kibana: /etc/kibana/certs

# chmod -R 500 /etc/kibana/certs

# chmod 400 /etc/kibana/certs/ca/ca.* /etc/kibana/certs/kibana.*

Please check the official document to learn more about it:

https://documentation.wazuh.com/current/deployment-options/elastic-stack/distributed-deployment/kibana/index.html

https://documentation.wazuh.com/current/deployment-options/elastic-stack/distributed-deployment/wazuh-cluster/wazuh-multi-node-cluster.html

https://documentation.wazuh.com/current/deployment-options/elastic-stack/distributed-deployment/kibana/index.html

Please let me know if this helps or if you need any other information.

Regards

Reply all

Reply to author

Forward

0 new messages