Skip to main content
Version: 5.1

Adding the CA Certificate Chain of the Infrastructure to the Search Anywhere Framework Component CA Certificate

To ensure proper operation of authentication and encryption mechanisms, as well as to establish trust between system components, you need to add the infrastructure CA certificate chain to the existing CA file. This file contains a list of trusted root and intermediate certificates used for verifying the authenticity of nodes and components.

CA Certificate Chain Structure:

  • Root CA Certificate – the primary certificate that serves as the trust anchor

  • Intermediate CA Certificates (if used) – provide linkage between the root certificate and end-entity certificates (there may be multiple intermediate certificates)

1. Collecting the Full Certificate Chain

Obtain all required CA certificates from your system administrator.

2. Creating the Certificate Chain File

Combine certificates into a single file (boundle-ca.pem) in the following order:

-----BEGIN CERTIFICATE-----
[Intermediate CA]
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
[Root CA]
-----END CERTIFICATE-----

3. Updating Trusted Certificates in OpenSearch

Add the certificate chain to the file specified in opensearch.yml (typically ${OS_HOME}/config/ca-cert.pem):

cat boundle-ca.pem >> ${OS_HOME}/config/ca-cert.pem
openssl verify -CAfile ${OS_HOME}/config/ca-cert.pem ${OS_HOME}/config/node-cert.pem

4. Updating Trusted Certificates in OpenSearch Dashboards

Add the chain to the file specified in opensearch-dashboards.yml (typically ${OSD_HOME}/config/ca-cert.pem):

cat cat boundle-ca.pem >> ${OSD_HOME}/config/ca-cert.pem 
openssl verify -CAfile ${OSD_HOME}/config/ca-cert.pem ${OSD_HOME}/config/node-cert.pem

5. Updating Trusted Certificates in Logstash

cat boundle-ca.pem >> ${LOGSTASH_HOME}/config/ca-cert.pem 
openssl verify -CAfile ${LOGSTASH_HOME}/config/ca-cert.pem ${LOGSTASH_HOME}/config/node-cert.pem

6. Updating Trusted Certificates in SAF Beat Manager

cat boundle-ca.pem >> ${SBM_HOME}/etc/ssl/ca-cert.pem
openssl verify -CAfile ${SBM_HOME}/etc/ssl/ca-cert.pem ${SBM_HOME}/etc/ssl/cert.pem

7. Updating Trusted Certificates in SAF Beat

cat boundle-ca.pem >> ${SB_HOME}/ca-cert.pem
openssl verify -CAfile ${SB_HOME}/ca-cert.pem ${SB_HOME}/cert.pem