The Wazuh stack enforces mutual TLS for every inter-service connection: the Indexer exposes its REST API over HTTPS, Filebeat inside the Manager ships events to the Indexer over TLS, and the Dashboard presents a TLS-secured web interface. All certificates are generated from a single topology file —Documentation Index
Fetch the complete documentation index at: https://mintlify.com/rsol9000-01/wazuh/llms.txt
Use this file to discover all available pages before exploring further.
config/certs.yml — using the official wazuh/wazuh-certs-generator:0.0.3 image. The generator must be run before the stack is started for the first time, because the service containers mount the certificate files at startup.
Certificate Node Topology
The generator reads its node topology fromconfig/certs.yml. The file for this deployment is:
| Section | Node Name | Purpose |
|---|---|---|
indexer | wazuh.indexer | OpenSearch data node — issues a server certificate for the Indexer’s REST API and inter-node transport |
server | wazuh.manager | Wazuh Manager — issues a Filebeat client certificate used to authenticate to the Indexer |
dashboard | wazuh.dashboard | Wazuh Dashboard — issues a server certificate for the HTTPS web interface |
ip fields are set to the Docker service hostnames (wazuh.indexer, wazuh.manager, wazuh.dashboard) rather than numeric IPs. Docker’s internal DNS resolves these names within the Compose network, so the Subject Alternative Names in each certificate match the hostnames used by the other services.
Generating Certificates
Run the generator with a single command from the project root:wazuh/wazuh-certs-generator:0.0.3 container with the following configuration taken from generate-indexer-certs.yml:
CERT_TOOL_VERSION=4.14— instructs the generator to use certificate profiles matching Wazuh 4.14.- Output directory — the container writes all certificate files into
./config/wazuh_indexer_ssl_certs/on the host (mounted at/certificates/inside the container). - Input topology —
./config/certs.ymlis mounted read-only at/config/certs.ymlinside the container.
--rm flag removes the generator container as soon as it exits, leaving only the certificate files behind.
Generated Certificate Files
After the generator completes, the following files will be present in./config/wazuh_indexer_ssl_certs/:
| File | Consuming Service | Purpose |
|---|---|---|
root-ca.pem | Indexer, Dashboard | Root CA certificate — used to verify server and client certificates |
root-ca-manager.pem | Manager (Filebeat) | Separate root CA certificate for the Manager/Filebeat trust chain |
wazuh.indexer.pem | Indexer | Indexer node TLS server certificate |
wazuh.indexer-key.pem | Indexer | Indexer node TLS private key |
wazuh.manager.pem | Manager (Filebeat) | Filebeat client certificate for authenticating to the Indexer |
wazuh.manager-key.pem | Manager (Filebeat) | Filebeat client private key |
wazuh.dashboard.pem | Dashboard | Dashboard HTTPS server certificate |
wazuh.dashboard-key.pem | Dashboard | Dashboard HTTPS private key |
admin.pem | Indexer (security init) | OpenSearch admin client certificate — used to apply security configuration |
admin-key.pem | Indexer (security init) | OpenSearch admin client private key |
Certificate Mounts in docker-compose.yml
Each service mounts only the subset of certificates it needs. The relevant volume entries fromdocker-compose.yml are shown below.
Wazuh Indexer — mounts the root CA, its own node certificate/key, and the admin certificate/key:
Regenerating Certificates
You may need to regenerate certificates when rotating credentials, changing node hostnames, or after a compromised key. Follow these steps:Regenerating certificates requires a full stack restart because all three service containers read their certificate files from disk at startup — there is no mechanism to hot-reload TLS material without restarting the containers.