官方elasticsearch-certutiledit命令

地址：https://www.elastic.co/guide/en/elasticsearch/reference/7.5/certutil.html

• 语法：

bin/elasticsearch-certutil
(
(ca [--ca-dn <name>] [--days <n>] [--pem])

| (cert ([--ca <file_path>] | [--ca-cert <file_path> --ca-key <file_path>])
[--ca-dn <name>] [--ca-pass <password>] [--days <n>]
[--dns <domain_name>] [--in <input_file>] [--ip <ip_addresses>]
[--keep-ca-key] [--multiple] [--name <file_name>] [--pem])

| (csr [--dns <domain_name>] [--in <input_file>] [--ip <ip_addresses>]
[--name <file_name>])

[-E <KeyValuePair>] [--keysize <bits>] [--out <file_path>]
[--pass <password>]
)
[-h, --help] ([-s, --silent] | [-v, --verbose])

语法解析：

elasticsearch-certutil命令后跟三种不同的模式，每种模式都有不同的参数选项
这三种模式分别是：CA模式，CERT模式和CSR模式.

可以指定下列模式之一：ca，cert，csr。该 elasticsearch-certutil命令还支持静默操作模式，以使批处理操作更容易。

• 模式

Descriptionedit
You can specify one of the following modes: ca, cert, csr. The elasticsearch-certutil command also supports a silent mode of operation to enable easier batch operations.

CA modeedit
The ca mode generates a new certificate authority (CA). By default, it produces a single PKCS#12 output file, which holds the CA certificate and the private key for the CA. If you specify the --pem parameter, the command generates a zip file, which contains the certificate and private key in PEM format.

You can subsequently use these files as input for the cert mode of the command.

CERT modeedit
The cert mode generates X.509 certificates and private keys. By default, it produces a single certificate and key for use on a single instance.

To generate certificates and keys for multiple instances, specify the --multiple parameter, which prompts you for details about each instance. Alternatively, you can use the --in parameter to specify a YAML file that contains details about the instances.

An instance is any piece of the Elastic Stack that requires a TLS or SSL certificate. Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats might all require a certificate and private key. The minimum required information for an instance is its name, which is used as the common name for the certificate. The instance name can be a hostname value or a full distinguished name. If the instance name would result in an invalid file or directory name, you must also specify a file name in the --name command parameter or in the filename field in an input YAML file.

You can optionally provide IP addresses or DNS names for each instance. If neither IP addresses nor DNS names are specified, the Elastic stack products cannot perform hostname verification and you might need to configure the verification_mode security setting to certificate only. For more information about this setting, see Security settings.

All certificates that are generated by this command are signed by a CA. You can provide your own CA with the --ca or --ca-cert parameters. Otherwise, the command automatically generates a new CA for you. For more information about generating a CA, see the CA mode of this command.

By default, the cert mode produces a single PKCS#12 output file which holds the instance certificate, the instance private key, and the CA certificate. If you specify the --pem parameter, the command generates PEM formatted certificates and keys and packages them into a zip file. If you specify the --keep-ca-key, --multiple or --in parameters, the command produces a zip file containing the generated certificates and keys.

CSR modeedit
The csr mode generates certificate signing requests (CSRs) that you can send to a trusted certificate authority to obtain signed certificates. The signed certificates must be in PEM or PKCS#12 format to work with Elasticsearch security features.

By default, the command produces a single CSR for a single instance.

To generate CSRs for multiple instances, specify the --multiple parameter, which prompts you for details about each instance. Alternatively, you can use the --in parameter to specify a YAML file that contains details about the instances.

The csr mode produces a single zip file which contains the CSRs and the private keys for each instance. Each CSR is provided as a standard PEM encoding of a PKCS#10 CSR. Each key is provided as a PEM encoding of an RSA private key.

三种模式说明

CA模式说明：
该ca模式将生成一个新的证书颁发机构（CA）。默认情况下，它会生成一个PKCS＃12输出文件，其中包含CA证书和CA的私钥。如果指定--pem参数，该命令将生成一个zip文件，其中包含PEM格式的证书和私钥。
随后，您可以将这些文件用作cert命令模式的输入。

CERT模式说明：
该cert模式生成X.509证书和私钥。默认情况下，它会生成单个证书和密钥，以用于单个实例。
要为多个实例生成证书和密钥，请指定 --multiple参数，该参数会提示您有关每个实例的详细信息。或者，您可以使用--in参数指定一个YAML文件，其中包含有关实例的详细信息。

实例是需要TLS或SSL证书的弹性堆栈的任何部分。根据您的配置，Elasticsearch，Logstash，Kibana和Beats可能都需要证书和私钥。实例所需的最少信息是其名称，该名称用作证书的通用名称。实例名称可以是主机名值或完整的专有名称。如果实例名称将导致无效的文件或目录名称，则还必须在--name命令参数或filename输入YAML文件的字段中指定文件名。

您可以选择为每个实例提供IP地址或DNS名称。如果既未指定IP地址也未指定DNS名称，则Elastic stack产品无法执行主机名验证，您可能需要将verification_mode安全性设置配置 为certificateonly。有关此设置的更多信息，请参阅“ 安全性设置”。

该命令生成的所有证书均由CA签名。您可以为自己的CA提供--ca或--ca-cert参数。否则，该命令会自动为您生成一个新的CA。有关生成CA的更多信息，请参阅此命令的CA模式。

默认情况下，该cert模式会生成一个包含实例证书，实例私钥和CA证书的PKCS＃12输出文件。如果指定--pem参数，该命令将生成PEM格式的证书和密钥，并将其打包为zip文件。如果指定了--keep-ca-key，--multiple或--in参数，所述命令生成包含所生成的证书和密钥的zip文件。

CSR模式说明：
该csr模式生成证书签名请求（CSR），您可以将其发送给受信任的证书颁发机构以获取签名的证书。签名证书必须为PEM或PKCS＃12格式，才能与Elasticsearch安全功能一起使用。

默认情况下，该命令为单个实例生成单个CSR。

要为多个实例生成CSR，请指定--multiple参数，该参数会提示您有关每个实例的详细信息。或者，您可以使用--in参数指定一个YAML文件，其中包含有关实例的详细信息。

该csr模式将生成一个单个zip文件，其中包含每个实例的CSR和私钥。提供每个CSR作为PKCS＃10 CSR的标准PEM编码。每个密钥均作为RSA私钥的PEM编码提供。

• 参数详解：

ca
Specifies to generate a new local certificate authority (CA). This parameter cannot be used with the csr or cert parameters.
cert
Specifies to generate new X.509 certificates and keys. This parameter cannot be used with the csr or ca parameters.
csr
Specifies to generate certificate signing requests. This parameter cannot be used with the ca or cert parameters.
--ca <file_path>
Specifies the path to an existing CA key pair (in PKCS#12 format). This parameter cannot be used with the ca or csr parameters.
--ca-cert <file_path>
Specifies the path to an existing CA certificate (in PEM format). You must also specify the --ca-key parameter. The --ca-cert parameter cannot be used with the ca or csr parameters.
--ca-dn <name>
Defines the Distinguished Name (DN) that is used for the generated CA certificate. The default value is CN=Elastic Certificate Tool Autogenerated CA. This parameter cannot be used with the csr parameter.
--ca-key <file_path>
Specifies the path to an existing CA private key (in PEM format). You must also specify the --ca-cert parameter. The --ca-key parameter cannot be used with the ca or csr parameters.
--ca-pass <password>
Specifies the password for an existing CA private key or the generated CA private key. This parameter cannot be used with the ca or csr parameters.
--days <n>
Specifies an integer value that represents the number of days the generated certificates are valid. The default value is 1095. This parameter cannot be used with the csr parameter.
--dns <domain_name>
Specifies a comma-separated list of DNS names. This parameter cannot be used with the ca parameter.
-E <KeyValuePair>
Configures a setting.
-h, --help
Returns all of the command parameters.
--in <input_file>
Specifies the file that is used to run in silent mode. The input file must be a YAML file. This parameter cannot be used with the ca parameter.
--ip <IP_addresses>
Specifies a comma-separated list of IP addresses. This parameter cannot be used with the ca parameter.
--keep-ca-key
When running in cert mode with an automatically-generated CA, specifies to retain the CA private key for future use.
--keysize <bits>
Defines the number of bits that are used in generated RSA keys. The default value is 2048.
--multiple
Specifies to generate files for multiple instances. This parameter cannot be used with the ca parameter.
--name <file_name>
Specifies the name of the generated certificate. This parameter cannot be used with the ca parameter.
--out <file_path>
Specifies a path for the output files.
--pass <password>
Specifies the password for the generated private keys.

Keys stored in PKCS#12 format are always password protected, however, this password may be blank. If you want to specify a blank password without a prompt, use --pass "" (with no =) on the command line.

Keys stored in PEM format are password protected only if the --pass parameter is specified. If you do not supply an argument for the --pass parameter, you are prompted for a password. Encrypted PEM files do not support blank passwords (if you do not wish to password-protect your PEM keys, then do not specify --pass).

--pem
Generates certificates and keys in PEM format instead of PKCS#12. This parameter cannot be used with the csr parameter.
-s, --silent
Shows minimal output.
-v, --verbose
Shows verbose output.

参数翻译：

ca 指定生成新的本地证书颁发机构（CA）。此参数不能与csr或cert参数一起使用。
cert 指定生成新的X.509证书和密钥。此参数不能与csr或ca参数一起使用。
csr 指定生成证书签名请求。此参数不能与ca或cert参数一起使用。
--ca <file_path> 指定到现有CA密钥对的路径（采用PKCS＃12格式）。此参数不能与ca或csr参数一起使用。
--ca-cert <file_path> 指定现有CA证书的路径（PEM格式）。您还必须指定--ca-key参数。该--ca-cert 参数不能与ca或csr参数一起使用。
--ca-dn <name> 定义用于生成的CA证书的专有名称（DN）。默认值为 CN=Elastic Certificate Tool Autogenerated CA。该参数不能与csr参数一起使用。
--ca-key <file_path> 指定现有CA私钥的路径（PEM格式）。您还必须指定--ca-cert参数。该--ca-key 参数不能与ca或csr参数一起使用。
--ca-pass <password> 指定现有CA私钥或生成的CA私钥的密码。此参数不能与ca或 csr参数一起使用。
--days <n> 指定一个整数值，该整数值表示生成的证书有效的天数。默认值为1095。该参数不能与csr参数一起使用。
--dns <domain_name> 指定逗号分隔的DNS名称列表。该参数不能与ca参数一起使用。
-E <KeyValuePair> 配置设置。
-h, --help 返回所有命令参数。
--in <input_file> 指定用于以静默方式运行的文件。输入文件必须是YAML文件。该参数不能与ca 参数一起使用。
--ip <IP_addresses> 指定逗号分隔的IP地址列表。该参数不能与ca参数一起使用。
--keep-ca-key 在cert具有自动生成的CA的模式下运行时，指定保留CA私钥以备将来使用。
--keysize <bits> 定义在生成的RSA密钥中使用的位数。默认值为2048。
--multiple 指定为多个实例生成文件。该参数不能与ca参数一起使用。
--name <file_name> 指定生成的证书的名称。该参数不能与ca参数一起使用。
--out <file_path> 指定输出文件的路径。
--pass <password> 指定生成的私钥的密码。 以PKCS＃12格式存储的密钥始终受密码保护，但是此密码可能为空。如果要在没有提示的情况下指定空白密码，请在命令行上使用--pass ""（不带=）。
仅在--pass指定参数的情况下，以PEM格式存储的密钥才受密码保护 。如果不为参数提供 --pass参数，则提示您输入密码。加密的PEM文件不支持空白密码（如果您不希望使用密码保护PEM密钥，则不要指定 --pass）。
--pem 以PEM格式而不是PKCS＃12生成证书和密钥。该参数不能与csr参数一起使用。
-s, --silent 显示最少的输出。
-v, --verbose 显示详细输出。

• 举例：

The following command generates a CA certificate and private key in PKCS#12 format:

bin/elasticsearch-certutil ca
You are prompted for an output filename and a password. Alternatively, you can specify the --out and --pass parameters.

You can then generate X.509 certificates and private keys by using the new CA. For example:

bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
You are prompted for the CA password and for an output filename and password. Alternatively, you can specify the --ca-pass, --out, and --pass parameters.

By default, this command generates a file called elastic-certificates.p12, which you can copy to the relevant configuration directory for each Elastic product that you want to configure. For more information, see Setting up TLS on a cluster.

Using elasticsearch-certutil in Silent Modeedit
To use the silent mode of operation, you must create a YAML file that contains information about the instances. It must match the following format:

instances:
  - name: "node1" 
    ip: 
      - "192.0.2.1"
    dns: 
      - "node1.mydomain.com"
  - name: "node2"
    ip:
      - "192.0.2.2"
      - "198.51.100.1"
  - name: "node3"
  - name: "node4"
    dns:
      - "node4.mydomain.com"
      - "node4.internal"
  - name: "CN=node5,OU=IT,DC=mydomain,DC=com"
    filename: "node5" 

The name of the instance. This can be a simple string value or can be a Distinguished Name (DN). This is the only required field.


An optional array of strings that represent IP Addresses for this instance. Both IPv4 and IPv6 values are allowed. The values are added as Subject Alternative Names.


An optional array of strings that represent DNS names for this instance. The values are added as Subject Alternative Names.


The filename to use for this instance. This name is used as the name of the directory that contains the instance’s files in the output. It is also used in the names of the files within the directory. This filename should not have an extension. Note: If the name provided for the instance does not represent a valid filename, then the filename field must be present.

When your YAML file is ready, you can use the elasticsearch-certutil command to generate certificates or certificate signing requests. Simply use the --in parameter to specify the location of the file. For example:

bin/elasticsearch-certutil cert --silent --in instances.yml --out test1.zip --pass testpassword
This command generates a compressed test1.zip file. After you decompress the output file, there is a directory for each instance that was listed in the instances.yml file. Each instance directory contains a single PKCS#12 (.p12) file, which contains the instance certificate, instance private key, and CA certificate.

You an also use the YAML file to generate certificate signing requests. For example:

bin/elasticsearch-certutil csr --silent --in instances.yml --out test2.zip --pass testpassword
This command generates a compressed file, which contains a directory for each instance. Each instance directory contains a certificate signing request (*.csr file) and private key (*.key file).

举例说明：
以下命令生成PKCS＃12格式的CA证书和私钥：
bin/elasticsearch-certutil ca
提示您输入输出文件名和密码。或者，您可以指定--out和--pass参数。

然后，您可以使用新的CA生成X.509证书和私钥。例如：
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

提示您输入CA密码以及输出文件名和密码。或者，您可以指定--ca-pass，--out和--pass参数。

默认情况下，此命令生成一个名为的文件elastic-certificates.p12，您可以将其复制到要配置的每个Elastic产品的相关配置目录中。有关更多信息，请参阅 在群集上设置TLS。

elasticsearch-certutil在静默模式下使用编辑
要使用静默操作模式，必须创建一个包含有关实例信息的YAML文件。它必须与以下格式匹配：

instances:
  - name: "node1" 
    ip: 
      - "192.0.2.1"
    dns: 
      - "node1.mydomain.com"
  - name: "node2"
    ip:
      - "192.0.2.2"
      - "198.51.100.1"
  - name: "node3"
  - name: "node4"
    dns:
      - "node4.mydomain.com"
      - "node4.internal"
  - name: "CN=node5,OU=IT,DC=mydomain,DC=com"
    filename: "node5" 

实例的名称。这可以是一个简单的字符串值，也可以是一个专有名称（DN）。这是唯一必填字段。
代表此实例的IP地址的字符串的可选数组。IPv4和IPv6值均允许。这些值将作为主题备用名称添加。
代表此实例的DNS名称的可选字符串数组。这些值将作为主题备用名称添加。
用于此实例的文件名。该名称用作在输出中包含实例文件的目录的名称。它也用在目录中文件的名称中。该文件名不应具有扩展名。注意：如果name为实例提供的名称不代表有效的文件名，则该filename字段必须存在。

准备好您的YAML文件后，您可以使用该elasticsearch-certutil命令生成证书或证书签名请求。只需使用--in 参数来指定文件的位置。例如：
bin/elasticsearch-certutil cert --silent --in instances.yml --out test1.zip --pass testpassword
该命令生成一个压缩test1.zip文件。解压缩输出文件后，文件中列出的每个实例都有一个目录 instances.yml。每个实例目录都包含一个PKCS＃12（.p12）文件，该文件包含实例证书，实例私钥和CA证书。

您还可以使用YAML文件生成证书签名请求。例如：
bin/elasticsearch-certutil csr --silent --in instances.yml --out test2.zip --pass testpassword
此命令生成一个压缩文件，其中包含每个实例的目录。每个实例目录都包含一个证书签名请求（.csr文件）和私钥（.key文件）。