Bash/elk-stack-scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
006532e81dd0e56c68e7895b4385e4f072fdf390
elk-stack-scripts/generate-certs.sh
tsvetkov 006532e81d add bash scripts for elk stack
2026-02-27 09:48:42 +00:00

119 lines
3.5 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
# =============================================================================
# generate-certs.sh — Generate a custom CA and TLS certificates for ELK stack
# =============================================================================
set -euo pipefail
CERT_DIR="${1:-./certs}"
DAYS_VALID=825
CA_SUBJECT="/C=US/ST=State/L=City/O=ELK-Lab/OU=Infrastructure/CN=ELK-Lab-CA"
DOMAIN="elk.local"
mkdir -p "${CERT_DIR}"
echo ">>> Generating Custom CA..."
openssl genrsa -out "${CERT_DIR}/ca.key" 4096
openssl req -x509 -new -nodes \
-key "${CERT_DIR}/ca.key" \
-sha256 -days ${DAYS_VALID} \
-out "${CERT_DIR}/ca.crt" \
-subj "${CA_SUBJECT}"
# --- Function to generate a certificate signed by the CA ---
generate_cert() {
local NAME="$1"
local CN="$2"
local SANS="$3"
echo ">>> Generating certificate for ${NAME} (CN=${CN})..."
openssl genrsa -out "${CERT_DIR}/${NAME}.key" 2048
cat > "${CERT_DIR}/${NAME}.cnf" <<SSLCNF
[req]
distinguished_name = req_dn
req_extensions = v3_req
prompt = no
[req_dn]
C = US
ST = State
L = City
O = ELK-Lab
OU = ${NAME}
CN = ${CN}
[v3_req]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = ${SANS}
SSLCNF
openssl req -new -nodes \
-key "${CERT_DIR}/${NAME}.key" \
-out "${CERT_DIR}/${NAME}.csr" \
-config "${CERT_DIR}/${NAME}.cnf"
openssl x509 -req \
-in "${CERT_DIR}/${NAME}.csr" \
-CA "${CERT_DIR}/ca.crt" \
-CAkey "${CERT_DIR}/ca.key" \
-CAcreateserial \
-out "${CERT_DIR}/${NAME}.crt" \
-days ${DAYS_VALID} \
-sha256 \
-extensions v3_req \
-extfile "${CERT_DIR}/${NAME}.cnf"
rm -f "${CERT_DIR}/${NAME}.csr" "${CERT_DIR}/${NAME}.cnf"
}
# --- Elasticsearch ---
generate_cert "elasticsearch" "elasticsearch" \
"DNS:elasticsearch,DNS:elasticsearch.elk.svc.cluster.local,DNS:elasticsearch.elk.svc,DNS:localhost,IP:127.0.0.1"
# --- Kibana ---
generate_cert "kibana" "kibana" \
"DNS:kibana,DNS:kibana.elk.svc.cluster.local,DNS:kibana.elk.svc,DNS:localhost,IP:127.0.0.1"
# --- Logstash ---
generate_cert "logstash" "logstash" \
"DNS:logstash,DNS:logstash.elk.svc.cluster.local,DNS:logstash.elk.svc,DNS:localhost,IP:127.0.0.1"
# --- NGINX ---
generate_cert "nginx" "kibana.${DOMAIN}" \
"DNS:kibana.${DOMAIN},DNS:nginx,DNS:nginx.elk.svc.cluster.local,DNS:localhost,IP:127.0.0.1"
# --- Authentik ---
generate_cert "authentik" "authentik.${DOMAIN}" \
"DNS:authentik.${DOMAIN},DNS:authentik,DNS:authentik-server,DNS:authentik-server.elk.svc.cluster.local,DNS:localhost,IP:127.0.0.1"
# --- Create Elasticsearch PKCS12 keystore ---
echo ">>> Creating Elasticsearch PKCS12 keystore..."
openssl pkcs12 -export \
-in "${CERT_DIR}/elasticsearch.crt" \
-inkey "${CERT_DIR}/elasticsearch.key" \
-CAfile "${CERT_DIR}/ca.crt" \
-chain \
-out "${CERT_DIR}/elasticsearch.p12" \
-passout pass:changeit
# --- Create Elasticsearch HTTP PKCS12 keystore ---
cp "${CERT_DIR}/elasticsearch.p12" "${CERT_DIR}/elastic-http.p12"
# --- Cleanup serial file ---
rm -f "${CERT_DIR}/ca.srl"
echo ""
echo "=== Certificates generated in ${CERT_DIR}/ ==="
ls -la "${CERT_DIR}/"
echo ""
echo "CA certificate: ${CERT_DIR}/ca.crt"
echo "CA private key: ${CERT_DIR}/ca.key"
echo "Elasticsearch cert: ${CERT_DIR}/elasticsearch.crt"
echo "Kibana cert: ${CERT_DIR}/kibana.crt"
echo "Logstash cert: ${CERT_DIR}/logstash.crt"
echo "NGINX cert: ${CERT_DIR}/nginx.crt"
echo "Authentik cert: ${CERT_DIR}/authentik.crt"
Reference in New Issue View Git Blame Copy Permalink