There are numerous ways to authenticate to Elasticsearch, with the simplest one being using a username & password.
However, sometimes there's need for a certificate-based authentication, which this article discusses.

Step 1 - generate the client certificate

Note: the commands below generate certificates without passwords. It is recommended to protect the certificates with passwords.

SSH to one of the Elasticsearch nodes and cd to the binaries folder, usually under /user/share/elasticsearch/bin
Generate a CA certificate (not required if you already use one, e.g. for encrypting communication):

./elasticsearch-certutil ca

Next generate the client certificate, replacing the name to match the user in your role_mapping.yaml configuration:

elasticsearch-certutil cert --ca \
  /usr/share/elasticsearch/elastic-stack-ca.p12 \
  -name "CN=loom,OU=IT,DC=acme,DC=com"
client.p12 <ENTER>

Copy the two certificates to the server running Sophie, to the following path (create if missing):


Open the Sophie web application and navigate to adding new data input. Select Elasticsearch.
Toggle "Advanced" settings, fillout the form specifying the full path-to-keystore files and the respective passwords (leave blank if no password):

Fill out the rest of the form as you would normally, and make sure to use https://  as the schema in the server-url field.

That's it! Sophie should start reading from your cluster using the Client-Certificate provided.

Did this answer your question?