Elasticsearchに対する外部からの接続(API)部分をSSL化します。
こちらは任意の設定となります。

公式HPだけだと正直解りませんでした。

www.elastic.co

こちらの記事を基に手順の確立をしました。

www.idata.co.il

上記記事に書かれている「certgen」というコマンドは古いようで、「certutil」というコマンドを利用して設定を実施します。

正直他の手段でSSL化をした方が良いような気がします・・・・

構築手順

(1)下記のコマンドを実行します。いずれかのサーバで実施します。

# /usr/share/elasticsearch/bin/x-pack/certutil cert -multiple -pem

(2)対話形式で設定をしていきます。

ちょっと見難いので表示を分割して記述します。

This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL/TLS in the Elastic stack.

The 'cert' mode generates X.509 certificate and private keys.
    * By default, this generates a single certificate and key for use
       on a single instance.
    * The '-multiple' option will prompt you to enter details for multiple
       instances and will generate a certificate and key for each one
    * The '-in' option allows for the certificate generation to be automated by describing
       the details of each instance in a YAML file

    * An instance is any piece of the Elastic Stack that requires a SSL certificate.
      Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
      may all require a certificate and private key.
    * The minimum required value for each instance is a name. This can simply be the
      hostname, which will be used as the Common Name of the certificate. A full
      distinguished name may also be used.
    * A filename value may be required for each instance. This is necessary when the
      name would result in an invalid file or directory name. The name provided here
      is used as the directory name (within the zip) and the prefix for the key and
      certificate files. The filename is required if you are prompted and the name
      is not displayed in the prompt.
    * IP addresses and DNS names are optional. Multiple values can be specified as a
      comma separated string. If no IP addresses or DNS names are provided, you may
      disable hostname verification in your SSL configuration.

    * All certificates generated by this tool will be signed by a certificate authority (CA).
    * The tool can automatically generate a new CA for you, or you can provide your own with the
         -ca or -ca-cert command line options.

By default the 'cert' mode produces a single PKCS#12 output file which holds:
    * The instance certificate
    * The private key for the instance certificate
    * The CA certificate

If you elect to generate PEM format certificates (the -pem option), then the output will
be a zip file containing individual files for the instance certificate, the key and the CA certificate

If you elect to generate multiple instances certificates, the output will be a zip file
containing all the generated certificates

これより下が実際に入力する部分となります。
全Elasticsearchのホスト名とIP、またkibanaについても入力をします。
入力箇所には　★　をつけます。

Enter instance name: rhel1　★ホスト名を入力
Enter name for directories and files of rhel1 [rhel1]:
Enter IP Addresses for instance (comma-separated if more than one) []: 192.168.0.1　★IPアドレスを入力
Enter DNS names for instance (comma-separated if more than one) []: rhel1　★ホスト名を入力
Would you like to specify another instance? Press 'y' to continue entering instance information: y　★連続入力は「y」
Enter instance name: rhel2　★
Enter name for directories and files of rhel2 [rhel2]:
Enter IP Addresses for instance (comma-separated if more than one) []: 192.168.0.2　★
Enter DNS names for instance (comma-separated if more than one) []: rhel2　★
Would you like to specify another instance? Press 'y' to continue entering instance information: y　★
Enter instance name: rhel3　★
Enter name for directories and files of rhel3 [rhel3]:
Enter IP Addresses for instance (comma-separated if more than one) []: 192.168.0.3　★
Enter DNS names for instance (comma-separated if more than one) []: rhel3　★
Would you like to specify another instance? Press 'y' to continue entering instance information: y　★
Enter instance name: rhel4　★
Enter name for directories and files of rhel4 [rhel4]:
Enter IP Addresses for instance (comma-separated if more than one) []: 192.168.0.4　★
Enter DNS names for instance (comma-separated if more than one) []: rhel4　★
Would you like to specify another instance? Press 'y' to continue entering instance information: y　★
Enter instance name: rhel5　★
Enter name for directories and files of elastic5 [elastic5]:
Enter IP Addresses for instance (comma-separated if more than one) []: 192.168.0.5　★
Enter DNS names for instance (comma-separated if more than one) []: rhel5　★
Would you like to specify another instance? Press 'y' to continue entering instance information: y　★
Enter instance name: kibana　★
Enter name for directories and files of kibana [kibana]:
Enter IP Addresses for instance (comma-separated if more than one) []: 192.168.0.6　★
Enter DNS names for instance (comma-separated if more than one) []: kibana　★
Would you like to specify another instance? Press 'y' to continue entering instance information:　←Kibanaで終了なのでEnter
Please enter the desired output file [certificate-bundle.zip]: ssl2.zip

Certificates written to /root/ssl2.zip

This file should be properly secured as it contains the private keys for
all instances.

After unzipping the file, there will be a directory for each instance.
Each instance has a certificate and private key.
For each Elastic product that you wish to configure, you should copy
the certificate, key, and CA certificate to the relevant configuration directory
and then follow the SSL configuration instructions in the product guide.

For client applications, you may only need to copy the CA certificate and
configure the client to trust this certificate.

(3)zipファイルが作成されますので（上記だと /root/ssl2.zip）、全てのElasticsearchサーバの証明書置き場（TLS設定で作成した/etc/elasticsearch/certificate）にコピーし、解凍しておいてください。

手元に環境が無く、確認する術がないのですが、以下のようなファイルができます。

• ホスト名.crt
• ホスト名.key
• ca.crt

(4)全てのElasticsearchサーバのkeystoreにSSLパスワードの設定をします。

#/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase
Enter value for xpack.security.http.ssl.secure_key_passphrase: パスワードを入力

(5)全てのElasticsearchサーバのymlに下記の定義を追加します。（最下行に挿入で大丈夫です）

# vi /etc/elasticsearch/elasticsearch.yml

以下、追加する定義です。
各Elasticsearchでホスト名に該当する証明書及び鍵の指定をします。
また、更改鍵についても指定します。

※zip展開時にパスが異なるようでしたら、実態に合わせて記述の変更をお願いします。

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /etc/elasticsearch/certificate/ホスト名.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/certificate/ホスト名.crt
xpack.ssl.certificate_authorities: [ "/etc/elasticsearch/certificate/ca.crt" ]

(6)全てのノードを再起動します。

アクセス方法

Curlでのアクセス

公開鍵を指定してcurlを実施します。
※このあたりは我流で実施したので、正解かは怪しいです。

例） # curl --cacert /etc/elasticsearch/certificate/ca/ca.crt -u elastic https://192.168.0.3:9200

kibanaサーバからのアクセス

kibanaのyml(/etc/kibana/kibana.yml)に以下の設定が必要となります。

※ Kibanaの設定は別途記述しますが、SSL通信では使用しない想定なのでここに定義を記述します。

elasticsearch.url: "https://192.168.0.3:9200"    #httpsに変更
elasticsearch.username: "kibana"                    #elasticsearchに接続するアカウント
elasticsearch.password: "パスワード"           #elasticsearchに接続するパスワード
server.ssl.enabled: true                                    #kibanaに対するSSL通信を設定
server.ssl.certificate: /etc/kibana/kibana.crt  #kibana用の証明書ファイルの指定
server.ssl.key: /etc/kibana/kibana.key          #kibana用の鍵ファイルの指定
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/ca.crt" ]  #elasticsearchの公開鍵の指定

上記編集後にkibanaの再起動を実施し、httpsでkibanaに接続してください。