Skip to main content
Version: 5.1

Generating Certificates for Search Anywhere Framework Components

This stage involves creating new certificates for all nodes and services in the system to ensure secure connections.

Key Requirements

  • Use the root certificate ca-cert.pem and its corresponding private key ca-key.pem to sign new certificates, or one of the intermediate Certificate Authorities (CAs). The following examples will use the root certificate.

  • Each certificate must include required extensions:

    • Subject Alternative Name (SAN) containing all IP addresses and DNS names of the corresponding SAF component

    • Key Usage: critical Digital Signature, Key Encipherment

    • Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication

  • Certificates must be generated separately for each Search Anywhere Framework node and component

Notation

$PATH_NEW_NODE_KEY – path to the new private key

$PATH_NEW_NODE_CERT_CSR – path to Certificate Signing Request (CSR)

$PATH_OPENSSL_CONFIG – path to OpenSSL configuration file

$PATH_CLIENT_CA – path to infrastructure root certificates

Certificate Generation Steps

1. Preparation

Before generation begins, ensure you have:

  • The root certificate (e.g., ca-cert.pem)
  • Corresponding private key (e.g., ca-key.pem)

2. Creating OpenSSL Configuration File

Create $PATH_OPENSSL_CONFIG/openssl.cnf with SAN parameters and other settings, modifying DNS and IP values for each node:

[ req ]
default_bits        = 2048
default_md          = sha256
distinguished_name  = req_distinguished_name
req_extensions      = req_ext

[ req_distinguished_name ]
countryName         = Country Name (2 letter code)
countryName_default = AE
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Dubai
localityName        = Locality Name (eg, city)
localityName_default = Dubai
organizationName    = Organization Name (eg, company)
organizationName_default = Test Organization
commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_default  = smos-node-name

[ req_ext ]
subjectAltName      = @alt_names
keyUsage            = critical, digitalSignature, keyEncipherment
extendedKeyUsage    = serverAuth, clientAuth

[ alt_names ]
DNS.1 = <NODE_FIRST_DNS_NAME>
IP.1  = <NODE_ADDITIONAL_IP>
DNS.2 = <NODE_SECOND_DNS_NAME>
IP.2 = <NODE_ADDITIONAL_IP>

3. Generating Certificates for Each Node (Master, Hot-Data, Cold-Data, OSD, Logstash, SAF Beat Manager, SAF Beat)

For each node, execute the following commands:

  • Generate private key:
openssl genpkey -algorithm RSA -out $PATH_NEW_NODE_KEY/node-key.pem -pkeyopt rsa_keygen_bits:2048
  • Create Certificate Signing Request (CSR):
openssl req -new -key $PATH_NEW_NODE_KEY/node-key.pem -out $PATH_NEW_NODE_CERT_CSR/node-cert.csr -config $PATH_OPENSSL_CONFIG/openssl.cnf
  • Sign CSR with infrastructure root certificate:
openssl x509 -req -in $PATH_NEW_NODE_CERT_CSR/node-cert.csr -CA $PATH_CLIENT_CA/ca-cert.pem -CAkey $PATH_CLIENT_CA/ca-cert.key -CAcreateserial -out $PATH_NEW_NODE_CERT_PEM/node-cert.pem -days 1095 -extensions req_ext -extfile $PATH_OPENSSL_CONFIG/openssl.cnf
  • Verify generated certificate:
openssl x509 -in $PATH_NEW_NODE_CERT_PEM/node-cert.pem -text -noout

Ensure the certificate contains:

  • SAN (Subject Alternative Name)

  • keyUsage

  • extendedKeyUsage (if required)