▪️ Security
In many cases you might want to encrypt traffic between your client and the server. To do that you can specify that the server should use HTTPS protocol rather than HTTP.
To enable HTTPS at least the following two directives should be set in searchd section of the config and there should be at least one listener set to https
In addition to that you can specify certificate authority's certificate (aka root certificate) in
- ssl_ca certificate authority's certificate file
- with CA
- without CA
Example with CA:
ssl_ca = ca-cert.pem
ssl_cert = server-cert.pem
ssl_key = server-key.pemThese steps will help you generate the SSL certificates with 'openssl' tool.
Server can use Certificate Authority to verify the signature of certificates, but can also work with just private key and certificate (w/o the CA certificate).
openssl genrsa 2048 > ca-key.pemGenerate self-signed CA (root) certificate from the private key (fill in at least "Common Name"):
openssl req -new -x509 -nodes -days 365 -key ca-key.pem -out ca-cert.pemServer uses the server certificate to secure communication with client. Generate certificate request and server private key (fill in at least "Common Name" different from the root certificate's common name):
openssl req -newkey rsa:2048 -days 365 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 365 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pemWhen done you can verify the key and certificate files were generated correctly:
openssl verify -CAfile ca-cert.pem server-cert.pem