Skip to main content
Version: 5.1

Adding the CA Certificate Chain of the Infrastructure to the Truststore (JKS)

For Java-based components (such as OpenSearch and Logstash) to function properly, the infrastructure CA certificate chain must be added to the truststore, which is a repository of trusted certificates in JKS format.

OpenSearch Configuration Verification

Ensure that the plugins.security.ssl.transport.truststore_filepath parameter in ${OS_HOME}/config/opensearch.yml points to the updated truststore. Verify the truststore location to prepare for updates.

Checking OpenSearch Truststore Contents

To examine the truststore file contents, execute:

JAVA_HOME=${OS_HOME}/jdk/ ${OS_HOME}/jdk/bin/keytool -list -keystore <PATH_TO_TRUSTSTORE>

Verifying file details:

JAVA_HOME=${OS_HOME}/jdk/ ${OS_HOME}/jdk/bin/keytool -list -keystore <PATH_TO_TRUSTSTORE> -v

Importing infrastructure certificates to OpenSearch truststore:

To add a certificate authority certificate, run the command:

JAVA_HOME=${OS_HOME}/jdk/ ${OS_HOME}/jdk/bin/keytool -importcert -alias new-root-ca -file root-ca.pem -keystore

If there are intermediate certification authorities, then you should add them too:

JAVA_HOME=${OS_HOME}/jdk/ ${OS_HOME}/jdk/bin/keytool -importcert -alias new-intermediate-ca -file intermediate-ca.pem -keystore <PATH_TO_TRUSTSTORE>

Logstash Truststore Verification

Review all pipelines in input and output blocks for truststore usage as described in Verifying Logstash Input and Output Plugins. To view truststore contents:

JAVA_HOME=${LOGSTASH_HOME}/jdk/ ${LOGSTASH_HOME}/jdk/bin/keytool -list -keystore <PATH_TO_TRUSTSTORE>

Verifying file details:

JAVA_HOME=${LOGSTASH_HOME}/jdk/ ${LOGSTASH_HOME}/jdk/bin/keytool -list -keystore <PATH_TO_TRUSTSTORE> -v

Importing certificates to Logstash truststore:

To add a certificate authority certificate, run the command:

JAVA_HOME=${LOGSTASH_HOME}/jdk/ ${LOGSTASH_HOME}/jdk/bin/keytool -importcert -alias new-root-ca -file root-ca.pem -keystore <PATH_TO_TRUSTSTORE>

If there are intermediate certification authorities, then you should add them too.:

JAVA_HOME=${LOGSTASH_HOME}/jdk/ ${LOGSTASH_HOME}/jdk/bin/keytool -importcert -alias new-intermediate-ca -file intermediate-ca.pem -keystore

After completing all the steps, the certificate chain will be correctly added to all necessary system components.