Opensearch demo 인증서에서 내부 서버용 CA 생성 후 등록

 

1. root CA 생성

root CA로 esnode.pem, admin.pem을 서명

cd /etc/opensearch

sudo openssl genrsa -out root-ca-key.pem 2048

sudo openssl req -new -x509 -sha256 \
  -key root-ca-key.pem \
  -subj "/C=KR/ST=Seoul/L=Seoul/O=MyCompany/OU=OpenSearch/CN=MyRootCA" \
  -out root-ca.pem \
  -days 3650

 

2. 노드 인증서 생성

esnode.pem, esnode-key.pem이 Opensearch 노드가 실제로 쓰는 인증서와 키, 문서 기준으로 노드 키는 PKCS#8이어야 하고, 호스트 인증서는 SAN(subjectAltName)을 넣는게 권장

cd /etc/opensearch

# 1) 임시 개인키
sudo openssl genrsa -out esnode-key-temp.pem 2048

# 2) PKCS#8 변환
sudo openssl pkcs8 -inform PEM -outform PEM \
  -in esnode-key-temp.pem \
  -topk8 -nocrypt -v1 PBE-SHA1-3DES \
  -out esnode-key.pem

# 3) CSR 생성
sudo openssl req -new \
  -key esnode-key.pem \
  -subj "/C=KR/ST=Seoul/L=Seoul/O=MyCompany/OU=OpenSearch/CN=os1.example.com" \
  -out esnode.csr

# 4) SAN 파일
cat <<'EOF' | sudo tee /etc/opensearch/esnode.ext >/dev/null
subjectAltName=DNS:localhost,DNS:os1.example.com,IP:127.0.0.1
extendedKeyUsage=serverAuth,clientAuth
EOF

# 5) root CA로 서명
sudo openssl x509 -req -in esnode.csr \
  -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial \
  -sha256 -out esnode.pem -days 730 \
  -extfile /etc/opensearch/esnode.ext
  
# 생성 후 확인
openssl x509 -in /etc/opensearch/esnode.pem -noout -subject -ext subjectAltName

 

3. admin 인증서 생성

admin.pem, admin-key.pem은 관리자 인증서. 이건 노드 인증서와 역할이 다르고, securityadmin.sh이나 Security REST API 작업용. admin cert는 특정 호스트에 묶이지 않으므로 SAN이 필요없다고 문서에 명시

cd /etc/opensearch

# 1) 임시 키
sudo openssl genrsa -out admin-key-temp.pem 2048

# 2) PKCS#8 변환
sudo openssl pkcs8 -inform PEM -outform PEM \
  -in admin-key-temp.pem \
  -topk8 -nocrypt -v1 PBE-SHA1-3DES \
  -out admin-key.pem

# 3) CSR 생성
sudo openssl req -new \
  -key admin-key.pem \
  -subj "/C=KR/ST=Seoul/L=Seoul/O=MyCompany/OU=OpenSearch/CN=admin" \
  -out admin.csr

# 4) root CA로 서명
sudo openssl x509 -req -in admin.csr \
  -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial \
  -sha256 -out admin.pem -days 730
  
# 생성 후 확인
openssl x509 -in /etc/opensearch/admin.pem -noout -subject

 

4. 파일 권한 추가

sudo chown opensearch:opensearch /etc/opensearch/esnode.pem /etc/opensearch/esnode-key.pem
sudo chown opensearch:opensearch /etc/opensearch/admin.pem /etc/opensearch/admin-key.pem
sudo chown opensearch:opensearch /etc/opensearch/root-ca.pem

sudo chmod 644 /etc/opensearch/esnode.pem /etc/opensearch/admin.pem /etc/opensearch/root-ca.pem
sudo chmod 600 /etc/opensearch/esnode-key.pem /etc/opensearch/admin-key.pem /etc/opensearch/root-ca-key.pem

 

5. opensearch.yml 설정

 

  • nodes_dn 값은 esnode.pem Subject DN과 정확히 맞아야 함
  • admin_dn 값은 admin.pem Subject DN과 정확히 맞아야 함

 

cluster.name: spring-log-cluster
node.name: node-1
network.host: 0.0.0.0
discovery.type: single-node

path.data: /var/lib/opensearch
path.logs: /var/log/opensearch

plugins.security.ssl.transport.pemcert_filepath: esnode.pem
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem

plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: esnode.pem
plugins.security.ssl.http.pemkey_filepath: esnode-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: root-ca.pem

plugins.security.nodes_dn:
  - "CN=os1.example.com,OU=OpenSearch,O=MyCompany,L=Seoul,ST=Seoul,C=KR"

plugins.security.authcz.admin_dn:
  - "CN=admin,OU=OpenSearch,O=MyCompany,L=Seoul,ST=Seoul,C=KR"

 

6. securityadmin.sh 실행

opensearch-security.yml 변경 시 실행

cd /usr/share/opensearch/plugins/opensearch-security/tools

sudo ./securityadmin.sh \
  -cd /etc/opensearch/opensearch-security \
  -cacert /etc/opensearch/root-ca.pem \
  -cert /etc/opensearch/admin.pem \
  -key /etc/opensearch/admin-key.pem \
  -icl -nhnv

 

7. opensearch-dashboards.yml 수정

sudo cp /etc/opensearch/root-ca.pem /etc/opensearch-dashboards/root-ca.pem
sudo chown root:root /etc/opensearch-dashboards/root-ca.pem
sudo chmod 644 /etc/opensearch-dashboards/root-ca.pem

# /etc/opensearch-dashboards/opensearch_dashboards.yml
opensearch.hosts: ["https://os1.example.com:9200"]
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver"
opensearch.ssl.verificationMode: certificate
opensearch.ssl.certificateAuthorities: ["/etc/opensearch-dashboards/root-ca.pem"]

 

이후 각각 재기동

'Others' 카테고리의 다른 글

logback + fluent-bit + opensearch 개발 서버용  (1) 2026.04.15
keycloak으로 구글 SSO 처리  (0) 2026.03.23
Redis, Prometheus, Grafana 모니터링  (0) 2025.10.31
mybatis sql 로그 pretty하게 남기기  (4) 2025.07.31
Redis + Sentine  (0) 2025.03.28

+ Recent posts