Manage Certificates with Data Node

When you install Graylog with Data Node, or when you migrate existing indices to Data Node architecture, you are prompted to create a certificate authority (CA) so that Graylog can secure your data in OpenSearch. The Data Node section of the web interface lets you manage existing certificates and issue new ones.

To manage certificates through Graylog, navigate to the Data Nodes page via System > Data Nodes and select the Configuration tab.

Manage Certificates

The Configuration tab shows the current policy established for certificates, including the Renewal Mode and Certificate Lifetime. This policy is typically set when you create the CA.

Edit Certificate Policy

To update the certificate policy:

1. Click Edit configuration.

2. Select the Certificate Renewal Mode:

   • Automatic: (Default) Renews all expiring certificates without user interaction.

   • Manual: Creates a system notification when one or more certificates are about to expire. You must manually renew certificates.

3. Set the Certificate Lifetime. This value determines the length of the validity of newly created certificates. The default value is 30 days.

4. Click Update configuration.

Renew Certificates

If you select Automatic as your renewal policy, certificates renew automatically before expiration. You do not need to take any additional action to ensure certificates are renewed as required.

For Manual renewal, navigate to the Data Nodes tab, then select Renew certificate from the More menu for the chosen node. The certificate is renewed for the length of time established in the Renewal Policy.

Create Certificates for Third-Party Tools

If you have third-party tools that require access to OpenSearch within the Data Node (for instance, via HTTPS), you need to generate a client certificate.

1. From the Data Nodes page (System > Data Nodes), select the Configuration tab.

2. Select Generate Client Certificate.

3. Complete the following fields:

   • Principal: Fully qualified domain name (FQDN) of the server you will connect to. This value is the hostname of the Data Node server you want to query. For example, if the hostname of the client is server123, and its domain is network.local, its FQDN would be server123.network.local.

   • Role: Defaults to all_access, which is what is required in most cases. See users and roles for a list of predefined roles.

   • Password: Password used to generate the private key that was used to generate the certificate.

4. Save the certificates into separate files with the following naming conventions:

   • Private Key: client-cert.key

   • Certificate: client-cert.crt

Use Third-Party Tools

After your client certificate is issued, you can use third-party tools such as curl or Grafana to query OpenSearch's API.

Query via Curl

If you choose to use a command-line tool such as curl, save the private key and certificate text files and name them as above. You can run this command from your terminal:

curl "https://hostname.domain.tld:9200/_cluster/health?pretty" -k --cert client-cert.crt --key client-cert.key

Query via Grafana

If you choose to use Grafana, you can copy and paste the certificates into the relevant boxes.

We encourage you to read the Grafana documentation for full instructions on using Grafana with OpenSearch. Note the following significant steps in the configuration process as follows:

• Add OpenSearch as a new data source.

• Specify the URL using HTTPS, such as https://hostname.domain.tld:9200.

• After pasting the certificate files into their relevant Grafana boxes, you might need to correct the certificate formats so that -END CERTIFICATE and -END RSA PRIVATE KEY are on new lines. This change must be applied to the CA, client certificate, and client key.