How to configure Elasticsearch for TLS

TLS protects the Elasticsearch HTTP endpoint from passive sniffing and active man-in-the-middle attacks, keeping credentials, API keys, and indexed data encrypted in transit. HTTPS on port 9200 also reduces the risk of accidental plaintext access when traffic passes through intermediate networks.

On the HTTP layer, Elasticsearch presents a server certificate and private key to clients, and clients validate the certificate chain against a trusted CA certificate. Certificate validation depends on subjectAltName entries matching the hostnames used for access, so the certificate must cover every DNS name used by clients.

HTTP TLS is separate from node-to-node transport TLS, so cluster-internal encryption requires additional settings beyond the HTTP layer. TLS options live in /etc/elasticsearch/elasticsearch.yml and require restarting the service, and encrypted private keys require a secure passphrase entry in the Elasticsearch keystore to avoid startup failures.

Steps to configure Elasticsearch for TLS:

Create a directory for HTTP TLS assets.
```
$ sudo install -d -o root -g elasticsearch -m 750 /etc/elasticsearch/certs
```
Restrictive permissions limit access while still allowing the elasticsearch service account to traverse the directory.

Install the CA certificate used to validate the server certificate chain.

$ sudo install -o root -g elasticsearch -m 644 /tmp/http-ca.crt /etc/elasticsearch/certs/http-ca.crt

Install the server certificate presented on the HTTPS endpoint.

$ sudo install -o root -g elasticsearch -m 644 /tmp/http.crt /etc/elasticsearch/certs/http.crt

Install the server private key with restricted permissions.
```
$ sudo install -o root -g elasticsearch -m 640 /tmp/http.key /etc/elasticsearch/certs/http.key
```
Overly permissive private-key access can expose cluster credentials, while overly restrictive permissions can prevent Elasticsearch from starting.
Confirm the elasticsearch service account can read the private key.
```
$ sudo -u elasticsearch test -r /etc/elasticsearch/certs/http.key
$ echo $?
0
```
A 0 exit status indicates the key is readable by the service account.

Configure HTTP TLS settings in /etc/elasticsearch/elasticsearch.yml.

xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/http.crt
xpack.security.http.ssl.key: /etc/elasticsearch/certs/http.key
xpack.security.http.ssl.certificate_authorities: ["/etc/elasticsearch/certs/http-ca.crt"]

YAML is indentation-sensitive, so keep alignment consistent with the rest of the file.

Restart the Elasticsearch service.
```
$ sudo systemctl restart elasticsearch
```
Related: How to manage the Elasticsearch service with systemctl in Linux

Confirm the service is active after the restart.

$ sudo systemctl status elasticsearch --no-pager
● elasticsearch.service - Elasticsearch
     Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; preset: enabled)
     Active: active (running) since Tue 2026-01-06 11:49:39 UTC; 5s ago
##### snipped #####

Verify the HTTPS endpoint completes certificate validation using the CA certificate.
```
$ curl --silent --show-error --cacert /etc/elasticsearch/certs/http-ca.crt --output /dev/null --write-out "%{http_code}\n" https://localhost:9200/
401
```
A 401 response confirms TLS is working while authentication remains enforced when xpack.security.enabled is true.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.