Manage TLS certificates
ECE ECK Self Managed
This page explains how to secure communications between components in your Elastic Stack deployment.
For Elastic Cloud Hosted and Elastic Cloud Serverless deployments, communications security is fully managed by Elastic with no configuration required.
For ECE, ECK, and self-managed deployments, this page provides specific configuration guidance to secure the various communication channels between components.
For a complete comparison of security feature availability and responsibility by deployment type, see Security features by deployment type.
Your Elastic Stack deployment includes several distinct communication channels that must be secured to protect your data and infrastructure.
| Channel | Description | Security needs |
|---|---|---|
| Transport layer | Communication between Elasticsearch nodes within a cluster | - Mutual TLS (required) - Node authentication - Node role verification |
| HTTP layer | Communication between external clients and Elasticsearch through the REST API | - TLS encryption - Authentication (basic auth, API keys, or token-based) - Optional client certificate authentication |
| Kibana-to-Elasticsearch | Communication from the Kibana server to Elasticsearch for user requests and queries | - TLS encryption - Service authentication (API keys, service tokens, or mutual TLS) |
The transport layer is used for communication between Elasticsearch nodes in a cluster. Securing this layer prevents unauthorized nodes from joining your cluster and protects internode data.
The way that transport layer security is managed depends on your deployment type:
- ECH, ECE, and Serverless: Transport security is fully managed by Elastic. No configuration is required.
- ECK: Transport security is automatically configured by the operator, but you can customize its service and SSL certificates.
- Self-managed: Transport security must be manually configured following the steps in Set up basic security.
The HTTP layer secures client communication with your Elasticsearch cluster via its REST API, preventing unauthorized access and protecting data in transit.
The way that HTTP layer security is managed depends on your deployment type:
- ECH and Serverless: HTTP security is fully managed by Elastic. No configuration is required.
- ECE: HTTP security is automatically enforced at ECE proxies using self-signed certificates and a default wildcard DNS record. However, it's recommended to configure your own certificates.
- ECK: HTTP security is automatically configured with self-signed certificates. Custom certificates and domain names can be configured.
- Self-managed: HTTP security must be manually configured following Secure HTTP communications.
Kibana connects to Elasticsearch as a client but requires special configuration as it performs operations on behalf of end users.
The way that Kibana-to-Elasticsearch communication security is managed depends on your deployment type:
- ECH and Serverless: Kibana-Elasticsearch communication is fully managed using HTTPS and service tokens.
- ECE and ECK: Kibana-Elasticsearch communication is automatically secured with service tokens.
- Self-managed: Kibana-Elasticsearch communication must be manually secured. For mutual TLS configuration, refer to Mutual TLS authentication between Kibana and Elasticsearch.
Managing certificates is critical for secure communications. Certificates have limited lifetimes and must be renewed before expiry to prevent service disruptions.
The way that you manage certificates depends on your deployment type:
- ECH and Serverless: Certificate management is fully automated by Elastic.
- ECE: ECE generates certificates for you. Refer to Manage security certificates.
- ECK: ECK provides flexible options for managing SSL certificates in your deployments, including automatic certificate generation and rotation, integration with external tools like
cert-manager, or using your own custom certificates. Custom HTTP certificates require manual management. - Self-managed: Certificate management is your responsibility. See Security certificates and keys.
- Configure basic security and HTTPS for self-managed deployments.
- Learn about HTTP communication security best practices.
- Understand how to securely manage security certificates and keys.
- Check SSL/TLS version compatibility for optimal encryption.