On this page

CloudyWing's Note

English

繁體中文

English

繁體中文

Theme

0 views
AI Translation

Single-Node Elasticsearch Installation Guide for Windows

Download and Installation

  1. Visit the official website to download the Windows version of Elasticsearch.

  2. Directory structure explanation:

    • bin: Executable files directory.
    • config: Configuration files directory.
    • jdk: Built-in Java environment.
    • lib: Core libraries and dependency packages.
    • logs: Log files directory.
    • modules: Core modules.
    • plugins: Plugins directory.

Basic Configuration

YAML Configuration File (config/elasticsearch.yml)

Node and Cluster Settings

yaml
# Node name; if not set, the system will convert the hostname to uppercase as the default value
node.name: node-1

# This setting is only required when creating the cluster for the first time
cluster.initial_master_nodes: ["node-1"]

Path Settings

yaml
# Path settings
# If it starts with /, it represents an absolute path; otherwise, it is relative to the Elasticsearch installation directory
path.data: /path/to/data
path.logs: /path/to/logs

# Only required if you are creating snapshots for backup and restore
path.repo: ["/path/to/repo"]

It is recommended to store data outside the Elasticsearch installation directory so that when performing minor version upgrades, you can point the new installation directly to the existing data location.

Network Settings

yaml
# Network settings
network.host: 0.0.0.0 # localhost is for local access only, 0.0.0.0 allows all connections. If you only want specific network interfaces to accept connections, you can specify a concrete IP address
http.port: 9200        # Default is 9200; only set this if you need to use a different port

# CORS settings
http.cors.enabled: true
# Note: Currently set to allow access from all origins; in actual deployment, this should be restricted to necessary service addresses
http.cors.allow-origin: "*"
http.cors.allow-methods: OPTIONS, HEAD, GET, POST, PUT, DELETE
http.cors.allow-headers: "X-Requested-With, Content-Type, Content-Length, X-User"

JVM Memory Settings (config/jvm.options)

properties
# Minimum memory setting
-Xms2g

# Maximum memory setting
-Xmx2g

Memory usage recommendations:

  1. Set minimum and maximum memory to the same value to avoid performance loss from memory reallocation.
  2. Do not exceed 50% of the system's available memory; reserve at least 2GB for the operating system.
  3. For memory under 32GB, it is recommended to set it to 50% of system memory; for 32GB or more, use 31GB to allow the JVM to use compressed ordinary object pointers to improve performance.

Security Settings

Creating a CA Certificate

A CA (Certificate Authority) certificate is used to sign other certificates, such as SSL certificates or x.509 certificates used between multiple nodes.

  1. Run the certificate generation tool in the bin directory to create a CA certificate (set here for a 5-year validity period; please adjust according to your actual situation):

    bash
    elasticsearch-certutil ca --days 1825

    After execution, the tool's functional description will be displayed, generally stating that this tool will assist in generating X.509 certificates and certificate signing requests (CSR) for use with SSL/TLS in the Elastic Stack. The CA mode will generate a PKCS#12 file containing the certificate and private key.

    text
    This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'ca' mode generates a new 'certificate authority'
This will create a new X.509 certificate and private key that can be used
to sign certificate when running in 'cert' mode.

Use the 'ca-dn' option if you wish to configure the 'distinguished name'
of the certificate authority

By default the 'ca' mode produces a single PKCS#12 output file which holds:
    * The CA certificate
    * The CA's private key

If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the CA certificate and private key

  2. Set the CA certificate filename:

    • You can press Enter to use the default filename elastic-stack-ca.p12, or enter a custom filename.
    • The file will be generated in the Elasticsearch installation directory.
    text
    Please enter the desired output file [elastic-stack-ca.p12]:

  3. Set the CA certificate password; the password entered will be used later to create the SSL certificate.

    text
    Enter password for elastic-stack-ca.p12 :

Creating an SSL Certificate

  1. Run the certificate generation tool in the bin directory:

    bash
    elasticsearch-certutil http

  2. Choose whether to generate a CSR. A CSR (Certificate Signing Request) is a request file needed when applying for an official SSL certificate from a certificate authority. If you are using a self-signed certificate or an existing CA certificate, enter N.

    text
    Generate a CSR? [y/N]

  3. Choose whether to use an existing CA certificate. This step will use the CA certificate just created, so enter Y.

    text
    Use an existing CA? [y/N]

  4. Enter the location of the CA certificate: Note the relative path: it is calculated starting from the config folder, so you should place the certificate under config, or use an absolute path starting with /, for example /ELK/elasticsearch-8.17.1/elastic-stack-ca.p12.

    text
    What is the path to your CA?

Please enter the full pathname to the Certificate Authority that you wish to
use for signing your new http certificate. This can be in PKCS#12 (.p12), JKS
(.jks) or PEM (.crt, .key, .pem) format.
CA Path:

  5. Enter the CA certificate password.

    text
    Reading a PKCS12 keystore requires a password.
It is possible for the keystore's password to be blank,
in which case you can simply press <ENTER> at the prompt
Password for elastic-stack-ca.p12:

  6. Enter the certificate validity period.

    text
    You may enter the validity period in years (e.g., 3Y), months (e.g., 18M), or days (e.g., 90D)

For how long should your certificate be valid? [5y]

  7. This option is mainly used to decide whether to generate an independent certificate for each node. For a single-node environment, enter N.

    text
    Do you wish to generate one certificate per node?

If you have multiple nodes in your cluster, then you may choose to generate a
separate certificate for each of these nodes. Each certificate will have its
own private key, and will be issued for a specific hostname or IP address.

Alternatively, you may wish to generate a single certificate that is valid
across all the hostnames or addresses in your cluster.

If all of your nodes will be accessed through a single domain
(e.g., node01.es.example.com, node02.es.example.com, etc) then you may find it
simpler to generate one certificate with a wildcard hostname (*.es.example.com)
and use that across all of your nodes.

However, if you do not have a common domain name, and you expect to add
additional nodes to your cluster in the future, then you should generate a
certificate per node so that you can more easily generate new certificates when
you provision new nodes.

Generate a certificate per node? [y/N]

  8. Enter the hostname. The following are common configuration methods:

    • localhost - If only accessing locally.
    • Actual hostname.
    • *.domain.com - If you want to use a wildcard certificate.
    • Multiple hostnames - Enter one per line, then press Enter when finished.
    text
    Which hostnames will be used to connect to your nodes?

These hostnames will be added as "DNS" names in the "Subject Alternative Name"
(SAN) field in your certificate.

You should list every hostname and variant that people will use to connect to
your cluster over http.
Do not list IP addresses here, you will be asked to enter them later.

If you wish to use a wildcard certificate (for example *.es.example.com) you
can enter that here.

Enter all the hostnames that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.

  9. If the hostname is correct, enter Y.

    text
    You entered the following hostnames.

 - {hostname}

Is this correct [Y/n]

  10. Enter the IP address.

    text
    Which IP addresses will be used to connect to your nodes?

If your clients will ever connect to your nodes by numeric IP address, then you
can list these as valid IP "Subject Alternative Name" (SAN) fields in your
certificate.

If you do not have fixed IP addresses, or not wish to support direct IP access
to your cluster then you can just press <ENTER> to skip this step.

Enter all the IP addresses that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.

  11. If the IP address is correct, enter Y.

    text
    You entered the following IP addresses.

 - {ip}

Is this correct [Y/n]

  12. Whether to modify certificate information; if no changes are needed, enter N.

    text
    Other certificate options

The generated certificate will have the following additional configuration
values. These values have been selected based on a combination of the
information you have provided above and secure defaults. You should not need to
change these values unless you have specific requirements.

Key Name: {hostname}
Subject DN: CN={hostname}
Key Size: 2048

Do you wish to change any of these options? [y/N]

  13. Enter the SSL certificate password.

    text
    What password do you want for your private key(s)?

Your private key(s) will be stored in a PKCS#12 keystore file named "http.p12".
This type of keystore is always password protected, but it is possible to use a
blank password.

If you wish to use a blank password, simply press <enter> at the prompt below.
Provide a password for the "http.p12" file:  [<ENTER> for none]

  14. Enter the SSL certificate password again.

    text
    If you wish to use a blank password, simply press <enter> at the prompt below.
Provide a password for the "http.p12" file:  [<ENTER> for none]
Repeat password to confirm:

  15. This step sets the storage location for the generated files. The tool will generate the private key, public certificate, and sample configuration options for Elastic Stack products, and pack these files into a zip archive. If you want to use the default filename elasticsearch-ssl-http.zip, just press Enter.

    text
    Where should we save the generated files?

A number of files will be generated including your private key(s),
public certificate(s), and sample configuration options for Elastic Stack products.

These files will be included in a single zip archive.

What filename should be used for the output zip file? [elasticsearch-ssl-http.zip]

  16. Create a certs folder in the config directory and place the http.p12 file inside it after unzipping.

  17. Create a keystore and add the certificate password:

    1. Create keystore:

      bash
      elasticsearch-keystore create

    2. After execution, you will see a confirmation message:

      text
      Created elasticsearch keystore in {path}/config/elasticsearch.keystore

    3. Add the SSL certificate password to the keystore:

      bash
      elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password

    4. Enter the password set when creating the SSL certificate earlier.

      text
      Enter value for xpack.security.http.ssl.keystore.secure_password:

    5. If a Truststore is configured, you must additionally add the CA certificate password to the keystore:

      bash
      elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password

    6. Enter the CA certificate password.

      text
      Enter value for xpack.security.http.ssl.truststore.secure_password:

  18. Add settings to elasticsearch.yml:

    yaml
    # Enable xpack features; in newer versions, it is true by default, no special setting needed
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: "certs/elasticsearch/http.p12"

TIP

When configuring SSL certificates, there are two certificate file-related settings:

  • Keystore: Used to store the server's private key and certificate.
  • Truststore: Used to store trusted CA certificates.

The http.p12 file generated using elasticsearch-certutil http already contains the necessary CA certificate. Therefore, you can use the same p12 file for both the Keystore and Truststore. If you have special requirements, you can also use different p12 files, but ensure they are all signed by the same CA certificate.

The system defaults to using the Truststore setting as the content of the Keystore.

Note: This setting only applies to SSL certificates; for x.509 certificate settings between multiple clusters, they usually need to be specified separately.

Therefore, if xpack.security.http.ssl.truststore.path is not specifically set, the system will automatically use the value of xpack.security.http.ssl.keystore.path.

WARNING

  • Currently, testing shows that the CA certificate generated by elasticsearch-certutil ca cannot be used as a Truststore.
  • In elasticsearch.yml, the path for xpack.security.http.ssl.keystore.path must be relative to the config directory. If you use an absolute path pointing to another location, the system will generate an error and fail to start.

Creating x.509 Certificates

WARNING

Regarding whether x.509 certificates for transport need to be configured in a single-node environment, I have tested this in three environments on Elasticsearch version 8.17.1: on my local machine, SSL could be enabled without configuration, but on the other two servers, it had to be configured to enable it. I have not yet figured out the reason for the different results. It is recommended to adjust according to the actual situation of each environment.

  1. Run the certificate generation tool in the bin directory (set here for a 5-year validity period; please adjust according to your actual situation):

    bash
    elasticsearch-certutil cert --ca elastic-stack-ca.p12 –days 1825

    After execution, the tool's functional description will be displayed, generally stating that this tool will assist in generating X.509 certificates and certificate signing requests (CSR) for use with SSL/TLS in the Elastic Stack.

    bash
    This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'cert' mode generates X.509 certificate and private keys.
    * By default, this generates a single certificate and key for use
       on a single instance.
    * The '-multiple' option will prompt you to enter details for multiple
       instances and will generate a certificate and key for each one
    * The '-in' option allows for the certificate generation to be automated by describing
       the details of each instance in a YAML file

    * An instance is any piece of the Elastic Stack that requires an SSL certificate.
      Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
      may all require a certificate and private key.
    * The minimum required value for each instance is a name. This can simply be the
      hostname, which will be used as the Common Name of the certificate. A full
      distinguished name may also be used.
    * A filename value may be required for each instance. This is necessary when the
      name would result in an invalid file or directory name. The name provided here
      is used as the directory name (within the zip) and the prefix for the key and
      certificate files. The filename is required if you are prompted and the name
      is not displayed in the prompt.
    * IP addresses and DNS names are optional. Multiple values can be specified as a
      comma separated string. If no IP addresses or DNS names are provided, you may
      disable hostname verification in your SSL configuration.


    * All certificates generated by this tool will be signed by a certificate authority (CA)
      unless the --self-signed command line option is specified.
      The tool can automatically generate a new CA for you, or you can provide your own with
      the --ca or --ca-cert command line options.


By default the 'cert' mode produces a single PKCS#12 output file which holds:
    * The instance certificate
    * The private key for the instance certificate
    * The CA certificate

If you specify any of the following options:
    * -pem (PEM formatted output)
    * -multiple (generate multiple certificates)
    * -in (generate certificates from an input file)
then the output will be be a zip file containing individual certificate/key files

  2. Enter the CA certificate password; note that the CA certificate must be in the root directory.

    bash
    Enter password for CA (elastic-stack-ca.p12) :

  3. Enter the filename for the x.509 certificate; you can just press Enter to output the default filename.

    bash
    Please enter the desired output file [elastic-certificates.p12]:

  4. Enter the password for the .x509 certificate:

    bash
    Enter password for elastic-certificates.p12 :

  5. After seeing this message, you will find that the elastic-certificates.p12 file has been added to the installation directory.

    bash
    For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.

  6. Create a keystore and add the certificate password:

    1. Set the Keystore password for the x.509 certificate.

      bash
      elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password

    2. Enter the password for the x.509 certificate just created.

      bash
      Enter value for xpack.security.transport.ssl.keystore.secure_password:

    3. Set the Truststore password for the x.509 certificate.

      bash
      elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password

    4. Enter the password for the x.509 certificate just created.

      bash
      Enter value for xpack.security.transport.ssl.truststore.secure_password:

  7. Add settings to elasticsearch.yml:

    yaml
    xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

User Management

Create a superuser:

bash
elasticsearch-users useradd {username} -p {password} -r superuser
  • Password must be at least 6 characters long.
  • User information is stored in config/users and config/users_roles.

Other user management commands:

bash
elasticsearch-users list            # List users
elasticsearch-users passwd {username}   # Change password
elasticsearch-users userdel {username}  # Delete user

Starting the Service

Manual Start

  1. Open the Command Prompt as an administrator.

  2. Switch to the bin directory:

    batch
    cd D:\ELK\elasticsearch-8.17.1\bin

  3. Execute:

    batch
    elasticsearch.bat

  4. After waiting for the startup to complete, open your browser to test: http://localhost:9200 or https://localhost:9200.

    If cluster_uuid in the JSON response shows _na_, it means the cluster did not start correctly; you need to check the cluster.initial_master_nodes setting.

Registering as a Windows Service

Register as a service to avoid issues when the window is closed or if you forget to start it:

batch
elasticsearch-service.bat install

After registration, you can find Elasticsearch-8.17.1 (elasticsearch-service-x64) in Windows Services and set it to Automatic.

Change Log

  • 2025-01-23 Initial document creation.
  • 2025-03-05 Added x.509 certificate configuration.
  • 2025-03-18 Supplemented keystore description.

Tags

Elastic Stack Elasticsearch

Related Notes

Installing Elasticsearch and Kibana with Docker Compose

2025-09-24 2025-11-040 views
Elastic StackElasticsearchDocker

Elasticsearch Query DSL Syntax Notes

2025-11-040 views
Elastic StackElasticsearch

Considerations for Elasticsearch Dynamic Field Mapping

2025-10-040 views
Elastic StackElasticsearch

Elasticsearch QueryString Query Syntax Notes

2025-04-13 2025-10-030 views
Elastic StackElasticsearch

CloudyWing's Note

Development notes, debugging journals, and architectural insights

Quick Links

Contact

Copyright © 2022-2026 Wing Chou (CloudyWing). All Rights Reserved.