Oracle Cloud Infrastructure Documentation

Using Your Own Certificate in OCI Search with OpenSearch

Use your own certificates and bind it with your OpenSearch cluster endpoint and Dashboard, enhancing security for your cloud resources while ensuring seamless integration with your network infrastructure.

OpenSearch uses OCI Certificates service to fetch your certificate, so you need to provide the OCID of the certificate imported to OCI Certificates service while creating or updating the OpenSearch cluster.

Import your publicly signed certificate into the Certificates service and ensure you have the appropriate access to use it. For more information, see Importing a Certificate.

Note

Self-signed certificates aren't allowed.

For general information on certificates, see OCI Certificates service.

Note

When providing your own certificate, OpenSearch continues to validate the certificate's Common Name (CN) or Subject Alternative Names (SANs) against the hostname used to access the OpenSearch or OpenDashboard endpoint. The CN is ignored when SANs are present and is used only when no SAN exists. This validation works exactly the same way as when OCI manages the certificates.

Alternatively, you must create an A-type DNS record that maps this custom domain directly to the OpenSearch or OpenDashboard endpoint.

Policies

Create the following policies to use your own certificates.

Allow any-user to read leaf-certificate-family in tenancy where all {request.principal.type='opensearchcluster', request.principal.type={certificate-compartment}

Update the following user permissions to enable non-administrator users to perform CRUD operations on the OpenSearch cluster:

Allow group <group_name> to read leaf-certificate-family in compartment <compartment_name>
Allow group <group_name> to manage certificate-associations in compartment <compartment_name>

Managing Your Own Certificate

OpenSearch always takes the certificate marked as CURRENT. Renew the certificates with enough time in advance and mark the new certificate as CURRENT. Expiration isn't automatically handled by OpenSearch. For information on how the OCI Certificates service manages certificates, see Managing Certificates.

Payload

Here is the updated payload for the OpenSearch create and update tasks:

"certificateConfig": {
	"clusterCertificateMode": "OCI_CERTIFICATES_SERVICE",
	"openSearchApiCertificateId": "<certificate_ocid>",
	"dashboardCertificateMode": "OCI_CERTIFICATES_SERVICE",
	"openSearchDashboardCertificateId": "<certificate_ocid>"
}

OR

"certificateConfig": {
	"clusterCertificateMode": "OPENSEARCH_SERVICE",
	"openSearchApiCertificateId": null,
	"dashboardCertificateMode": "OPENSEARCH_SERVICE",
	"openSearchDashboardCertificateId": null
}

You can use different certificates both endpoints.

Using Your Own Certificate when Creating a New Cluster

  1. Follow the workflow to create an OpenSearch cluster as described in Creating a Search with OpenSearch Cluster.
  2. In the Configure security page in the workflow, select Show advanced options at the bottom.
    The Security certificate for API endpoint and Security certificate for Dashboard API endpoint options appear.
  3. For either or both of these options where you want to use your own certificate, select User defined.
    The Browse all security certificates panel opens.
  4. Select the compartment containing the certificate you want to use.
    All the certificates in the selected compartment appear in a table.
  5. Select the certificate you want to use for the OpenSearch cluster.
  6. Select Save.

Using Your Own Certificate when Updating an Existing Cluster

  1. Follow the steps to view the details of an OpenSearch cluster as described in Getting a Search with OpenSearch Cluster's Details.
  2. Select the Security information tab.
  3. Select Update certificate information.
    The Browse all security certificates panel opens.
  4. Select the certificate you want to use for the OpenSearch cluster.
    Change the compartment if your certificate resides in a different one.
  5. The Update certificate information panel opens.
  6. Enter the following:
    • Update API endpoint certificate: Select this option.
    • User defined: Select this option.
    • Select a security certificate: Select this option.
    • Select security certificate: Select and navigate to where your security certificate resides. Select OK.

    Leave the settings for the Dashboard API endpoint unchanged.

  7. Select Save changes.

Switching Back to the Default Certificate

To switch back to the default certificates provided and managed by the OpenSearch service, you must edit the OpenSearch cluster as previously described and update the certificate information to specify the default certificate.