Certificates creation

Wazuh uses certificates to establish trust and confidentiality between its components - the Wazuh indexer, Filebeat and the Wazuh dashboard. The Wazuh server comprises two components, the Wazuh manager and Filebeat. When adding new Wazuh server nodes, an SSL certificate is required for the Filebeat on the new node to communicate securely with the Wazuh indexer.

Perform the following steps on your existing Wazuh server node to generate the certificates required for secure communication among the Wazuh central components.

All-in-one deployment

We generate new certificates for the Wazuh components in an all-in-one deployment. This is necessary because the quickstart install script uses the localhost IP address 127.0.0.1 to create the certificates for the Wazuh indexer, server, and dashboard. Perform the following steps to create new certificates.

  1. Create a config.yml file in the /root directory to add the new Wazuh server node(s):

    # touch /root/config.yml

    Edit the /root/config.yml file with it’s content as follows:

    nodes:
  # Wazuh indexer nodes
  indexer:
    - name: <WAZUH_INDEXER_NODE_NAME>
      ip: <WAZUH_INDEXER_IP_ADDRESS>

  # Wazuh server nodes
  server:
    - name: <EXISTING_WAZUH_SERVER_NODE_NAME>
      ip: <EXISTING_WAZUH_SERVER_IP_ADDRESS>
      node_type: master
    - name: <NEW_WAZUH_SERVER_NODE_NAME>
      ip: <NEW_WAZUH_SERVER_IP_ADDRESS>
      node_type: worker

  # Wazuh dashboard nodes
  dashboard:
    - name: <WAZUH_DASHBOARD_NODE_NAME>
      ip: <WAZUH_DASHBOARD_IP_ADDRESS>

    Replace the node names and IP values with your new node names and IP addresses.

    You can assign a different node_type in your installation. In this documentation, we assign the master role to the existing node and the worker role to the new node.

  2. Download and run wazuh-certs-tool.sh to create the certificates for the new node and recreate for the existing one:

    # curl -sO https://packages.wazuh.com/4.10/wazuh-certs-tool.sh
# bash wazuh-certs-tool.sh -A

    19/06/2024 13:59:08 INFO: Generating the root certificate.
19/06/2024 13:59:09 INFO: Generating Admin certificates.
19/06/2024 13:59:09 INFO: Admin certificates created.
19/06/2024 13:59:09 INFO: Generating Wazuh indexer certificates.
19/06/2024 13:59:09 INFO: Wazuh indexer certificates created.
19/06/2024 13:59:09 INFO: Generating Filebeat certificates.
19/06/2024 13:59:09 INFO: Wazuh Filebeat certificates created.
19/06/2024 13:59:09 INFO: Generating Wazuh dashboard certificates.
19/06/2024 13:59:09 INFO: Wazuh dashboard certificates created.

  3. Compress the certificates folder and copy it to the new Wazuh server node(s). You can make use of the scp utility to securely copy the compressed file:

    # tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
# scp wazuh-certificates.tar <TARGET_USERNAME>@<TARGET_IP_ADDRESS>:

    This will copy the certificates to the /home directory of the user on the target system. You can change this to specify a path to your installation directory.

Distributed deployment

For a distributed deployment, the certificates can be generated by either using the pre-existing root CA keys or creating a fresh set of certificates. We recommend you utilize pre-existing root CA keys to generate certificates for new nodes only. We describe both techniques below.

Using pre-existing root CA key

Perform the steps below on your existing Wazuh server node to generate the certificates using pre-existing root CA key.

Note

You will require a copy of the wazuh-certificates.tar file created during the initial configuration for the Wazuh indexer in steps 4 and 5 or a copy of the root CA keys. If neither is available, you can generate new certificates by following the steps outlined in the next section.

  1. Create a config.yml file in the /root directory to add the new Wazuh server node(s):

    # touch /root/config.yml

    Edit the /root/config.yml file to include the node name and IP of the new node:

    nodes:
  # Wazuh server nodes
  server:
    - name: <EXISTING_WAZUH_SERVER_NODE_NAME>
      ip: <EXISTING_WAZUH_SERVER_IP_ADDRESS>
      node_type: master
    - name: <NEW_WAZUH_SERVER_NODE_NAME>
      ip: <NEW_WAZUH_SERVER_IP_ADDRESS>
      node_type: worker

    Replace the values with your node names and their corresponding IP addresses.

  2. Extract the wazuh-certificates.tar file to get the root CA keys:

    # mkdir wazuh-install-files && tar -xf ./wazuh-certificates.tar -C wazuh-install-files

  3. Download and run wazuh-certs-tool.sh to create the certificates for the new Wazuh server node using the pre-existing root CA keys:

    # curl -sO https://packages.wazuh.com/4.10/wazuh-certs-tool.sh
# bash wazuh-certs-tool.sh -A wazuh-install-files/root-ca.pem wazuh-install-files/root-ca.key

    19/06/2024 16:42:37 INFO: Generating Admin certificates.
19/06/2024 16:42:37 INFO: Admin certificates created.
19/06/2024 16:42:37 INFO: Generating Filebeat certificates.
19/06/2024 16:42:38 INFO: Wazuh Filebeat certificates created.

  4. Copy the newly created certificates to the wazuh-install-files directory making sure not to replace the admin certificates:

    # cp wazuh-certificates/<NEW_WAZUH_SERVER_NODE_NAME>* wazuh-install-files
# cp wazuh-certificates/<EXISTING_WAZUH_SERVER_NODE_NAME>* wazuh-install-files

  5. Compress the certificates directory into a new wazuh-certificates.tar file and copy it to the new Wazuh server node(s). You can make use of the scp utility to securely copy the compressed file as follows:

    # tar -cvf ./wazuh-certificates.tar -C ./wazuh-install-files/ .
# scp wazuh-certificates.tar <TARGET_USERNAME>@<TARGET_IP_ADDRESS>:

    This command copies the certificates to the /home directory of the target user on the endpoint. You can modify the command to specify a path to your installation directory.

Generating new certificates

You can follow the steps below to generate fresh certificates if the pre-existing root-ca keys have been deleted or are not accessible.

  1. Create the /root/config.yml file to reference all your nodes:

    nodes:
  # Wazuh indexer nodes
  indexer:
    - name: <WAZUH_INDEXER_NODE_NAME>
      ip: <WAZUH_INDEXER_IP_ADDRESS>

  # Wazuh server nodes
  server:
    - name: <EXISTING_WAZUH_SERVER_NODE_NAME>
      ip: <EXISTING_WAZUH_SERVER_IP_ADDRESS>
      node_type: master
    - name: <NEW_WAZUH_SERVER_NODE_NAME>
      ip: <NEW_WAZUH_SERVER_IP_ADDRESS>
      node_type: worker

  # Wazuh dashboard nodes
  dashboard:
    - name: <WAZUH_DASHBOARD_NODE_NAME>
      ip: <WAZUH_DASHBOARD_IP_ADDRESS>

  2. Download and execute the wazuh-certs-tool.sh script to create the certificates:

    # curl -sO https://packages.wazuh.com/4.10/wazuh-certs-tool.sh
# bash wazuh-certs-tool.sh -A

  3. Compress the certificates folder and copy it to the new Wazuh indexer node(s). You can make use of the scp utility to securely copy the compressed file:

    # tar -cvf ./wazuh-certificates.tar -C ./wazuh-certificates/ .
# scp wazuh-certificates.tar <TARGET_USERNAME>@<TARGET_IP_ADDRESS>:

    This command copies the certificates to the /home directory of the target user on the endpoint. You can modify the command to specify a path to your installation directory.