==== Creating certificates for OpenSearch ====

<code bash>
cd /etc/opensearch
mkdir certs.old
mkdir certs
chown opensearch:opensearch certs
chmod 600 certs
mv *.pem certs.old/

cd certs
</code>

=== Create the CA certificate ===
Generate a RSA key with 2048 bit length
<code bash>openssl genrsa -out root-ca-myopensearch-key.pem 2048</code>
Generate a Root CA certificate signed with the gerated key valid for 5 years\\
At the end, it's only importnant that CN has a value - else possession of the key is important to sign client certificates  
<code bash>openssl req -new -x509 -sha256 -key root-ca-myopensearch-key.pem -subj "/C=US/ST=TX/L=Dallas/O=TheBigBadWolf/OU=SheepPR/CN=my" -out root-ca-myopensearch.pem -days 1825</code>

=== Create a certificate for the admin user ===
<code bash>openssl genrsa -out myopensearch-admin-key-tmp.pem 2048</code>
Convert the key to PKCS#8
<code bash>openssl pkcs8 -inform PEM -outform PEM -in myopensearch-admin-key-tmp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out myopensearch-admin-key.pem</code>
#Create a CSR 
<code bash>openssl req -new -key myopensearch-admin-key.pem -subj "/C=US/ST=TX/L=Dallas/O=TheBigBadWolf/OU=SheepPR/CN=admin" -out myopensearch-admin.csr</code>
#Sign the CSR
<code bash>openssl x509 -req -in myopensearch-admin.csr -CA root-ca-myopensearch.pem -CAkey root-ca-myopensearch-key.pem -CAcreateserial -sha256 -out myopensearch-admin.pem -days 1825</code>

=== Create the certificate for the node ===
openssl genrsa -out node-01-key-temp.pem 2048</code>
Convert the key format to PKCS#8
openssl pkcs8 -inform PEM -outform PEM -in node-01-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node-01-key.pem</code>
Create a CSR
openssl req -new -key node-01-key.pem -subj "/C=US/ST=TX/L=Dallas/O=TheBigBadWolf/OU=SheepPR/CN=node-01"  -out node-01.csr</code>

Create an extension file containing the Subject Alternate Names (SAN):
<code bash>
cat > node-01.ext
subjectAltName = @SAN
[SAN]
DNS.1 = node-01
IP.1 = 1.1.1.127
</code>
after the last line press <ctrl-d>

Generate the cerificate for the node
<code bash>openssl x509 -req -in node-01.csr -CA root-ca-myopensearch.pem -CAkey root-ca-myopensearch-key.pem -CAcreateserial -sha256 -out node-01.pem -days 1825 -extfile node-01.ext</code>

change the owner and permissions of the generated certificates and keys
<code bash>
chown opensearch:opensearch *.pem
chmod 600 *.pem
</code>

Back to [[opensearch:os_installation_linux]]