Skip to content

Instantly share code, notes, and snippets.

@melkosoft
Created May 20, 2021 18:18
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save melkosoft/3865bec65bc39680baadec6b3d934ada to your computer and use it in GitHub Desktop.
Save melkosoft/3865bec65bc39680baadec6b3d934ada to your computer and use it in GitHub Desktop.
[req]
prompt = no
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = US
stateOrProvinceName = CA
localityName = Palo Alto
organizationName = VMware Inc
organizationalUnitName = IT
commonName = admin
[v3_req]
subjectAltName = @alt_names
extendedKeyUsage = serverAuth,clientAuth
[alt_names]
DNS.1 = localhost
DNS.2 = admin
IP.1 = 127.0.0.1
IP.2 = 0.0.0.0
[ ca ]
default_ca=hpbp_ca
[ hpbp_ca ]
default_md = sha256
default_days = 3650
copy_extensions = copy
[ req ]
prompt = no
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = CA
localityName = Palo Alto
organizationName = VMware Inc
organizationalUnitName = IT
commonName = CA Root Certificate
[ req_ext ]
keyUsage=digitalSignature
basicConstraints=CA:true
cluster.name: "es-cluster"
network.host: 0.0.0.0
opendistro_security.advanced_modules_enabled: true
opendistro_security.roles_mapping_resolution: BOTH
opendistro_security.audit.ignore_users: ['kibanaserver']
# TLS Configuration Transport Layer
opendistro_security.ssl.transport.pemcert_filepath: node.pem
opendistro_security.ssl.transport.pemkey_filepath: node.key
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
# opendistro_security.ssl.transport.pemkey_password: ${TRANSPORT_TLS_PEM_PASS}
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.transport.resolve_hostname: false
# TLS Configuration REST Layer
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: node.pem
opendistro_security.ssl.http.pemkey_filepath: node.key
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
# Demo Certificate Option Disabled
opendistro_security.allow_unsafe_democertificates: true
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:
- 'CN=admin'
- 'CN=admin,OU=IT,O=VMware Inc,L=Palo Alto,ST=CA,C=US'
opendistro_security.nodes_dn:
- 'CN=node1'
- 'CN=node1,OU=IT,O=VMware Inc,L=Palo Alto,ST=CA,C=US'
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
cluster.routing.allocation.disk.threshold_enabled: false
opendistro_security.audit.config.disabled_rest_categories: NONE
opendistro_security.audit.config.disabled_transport_categories: NONE
#!/bin/bash
# Root CA
openssl genrsa -out root-ca.key 2048
openssl req -new -x509 -sha256 -key root-ca.key -out root-ca.pem -config ca.conf -days 3650
# Admin cert
openssl genrsa -out admin-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin.key
openssl req -new -key admin.key -out admin.csr -config admin.conf
openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca.key -CAcreateserial -sha256 -out admin.pem -days 3650 -extfile admin.conf -extensions v3_req
# Node cert
openssl genrsa -out node1-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in node1-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node1.key
openssl req -new -key node1.key -out node1.csr -config node.conf
openssl x509 -req -in node1.csr -CA root-ca.pem -CAkey root-ca.key -CAcreateserial -sha256 -out node1.pem -days 3650 -extfile node.conf -extensions v3_req
# Kibana cert
openssl genrsa -out kibana-key-temp.pem 2048
openssl pkcs8 -inform PEM -outform PEM -in kibana-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out kibana.key
openssl req -new -key kibana.key -out kibana.csr -config kibana.conf
openssl x509 -req -in kibana.csr -CA root-ca.pem -CAkey root-ca.key -CAcreateserial -sha256 -out kibana.pem -days 3650 -extfile kibana.conf -extensions v3_req
# Keycloak
openssl genrsa -out keycloak-pkcs12.key 2048
openssl pkcs8 -v1 "PBE-SHA1-3DES" -in "keycloak-pkcs12.key" -topk8 -out "keycloak.key" -nocrypt
openssl req -new -key keycloak.key -out keycloak.csr -config keycloak.conf
openssl x509 -req -days 3650 -in keycloak.csr -CA root-ca.pem -CAkey root-ca.key -CAcreateserial -out keycloak.pem -sha256
# Cleanup
rm admin-key-temp.pem
rm admin.csr
rm node1-key-temp.pem
rm node1.csr
rm kibana-key-temp.pem
rm kibana.csr
rm keycloak-pkcs12.key
rm keycloak.csr
rm root-ca.srl
[req]
prompt = no
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = US
stateOrProvinceName = CA
localityName = Palo Alto
organizationName = VMware Inc
organizationalUnitName = IT
commonName = keycloak
[v3_req]
subjectAltName = @alt_names
extendedKeyUsage = serverAuth,clientAuth
[alt_names]
DNS.1 = localhost
DNS.2 = keycloak
DNS.3 = keycloak.mylab.io
IP.1 = 127.0.0.1
IP.2 = 0.0.0.0
[req]
prompt = no
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = US
stateOrProvinceName = CA
localityName = Palo Alto
organizationName = VMware Inc
organizationalUnitName = IT
commonName = kibana
[v3_req]
subjectAltName = @alt_names
extendedKeyUsage = serverAuth,clientAuth
[alt_names]
DNS.1 = localhost
DNS.2 = kibana
IP.1 = 127.0.0.1
IP.2 = 0.0.0.0
[req]
prompt = no
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = US
stateOrProvinceName = CA
localityName = Palo Alto
organizationName = VMware Inc
organizationalUnitName = IT
commonName = node1
[v3_req]
subjectAltName = @alt_names
extendedKeyUsage = serverAuth,clientAuth
[alt_names]
DNS.1 = localhost
DNS.2 = node1.mylab.io
DNS.3 = node1
IP.1 = 127.0.0.1
IP.2 = 0.0.0.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment