searchguard tls tool configuration yml

i have set up an elk stack in the following way:

server1: - elkstack-server.com - elk stack

server2 - webapp-server.com - webapplication - filebeat

this worked for me well.

Now i am trying to secure the this stack with search-guard.

Im struggling with the certificate. i use the sgtlstool which is shiped with searchguard.

Im not able to generate the proper certificate, because i do not fully understand this, even with the help of yt and google.

My configuration yml looks like this:

###                                                                                                                                                                                                             
### Self-generated certificate authority                                                                                                                                                                        
###                                                                                                                                                                                                             
#                                                                                                                                                                                                               
# If you want to create a new certificate authority, you must specify its parameters here.                                                                                                                      
# You can skip this section if you only want to create CSRs                                                                                                                                                     
#                                                                                                                                                                                                               
ca:                                                                                                                                                                                                             
   root:                                                                                                                                                                                                        
      # The distinguished name of this CA. You must specify a distinguished name.                                                                                                                               
      # dn: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com                                                                                                                                 
      dn: CN=elkstack-server.com,DC=elkstack,DC=server,DC=com                                                                                                                
      # The size of the generated key in bits                                                                                                                                                                   
      keysize: 2048                                                                                                                                                                                             

      # The validity of the generated certificate in days from now                                                                                                                                              
      validityDays: 3650                                                                                                                                                                                        

      # Password for private key                                                                                                                                                                                
      #   Possible values:                                                                                                                                                                                      
      #   - auto: automatically generated password, returned in config output;                                                                                                                                  
      #   - none: unencrypted private key;                                                                                                                                                                      
      #   - other values: other values are used directly as password                                                                                                                                            
      pkPassword: none                                                                                                                                                                                          

      # The name of the generated files can be changed here                                                                                                                                                     
      file: root-ca.pem                                                                                                                                                                                         

   # If you want to use an intermediate certificate as signing certificate,                                                                                                                                     
   # please specify its parameters here. This is optional. If you remove this section,                                                                                                                          
   # t#he root certificate will be used for signing.                                                                                                                                                            
   #intermediate:                                                                                                                                                                                                
      # The distinguished name of this CA. You must specify a distinguished name.                                                                                                                               
      # dn: CN=root.ca.example.com,OU=CA,O=Example Com\, Inc.,DC=example,DC=com                                                                                                                                 

      # The size of the generated key in bits                                                                                                                                                                   
      #keysize: 2048                                                                                                                                                                                            

      ## The validity of the generated certificate in days from now                                                                                                                                             
      #pkPassword: auto                                                                                                                                                                                         

      # If you have a certificate revocation list, you can specify its distribution points here                                                                                                                 
      #crlDistributionPoints: URI:https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl                                                                                             

###                                                                                                                                                                                                             
### Default values and global settings                                                                                                                                                                          
###                                                                                                                                                                                                             
defaults:                                                                                                                                                                                                       

      # The validity of the generated certificate in days from now                                                                                                                                              
      validityDays: 3650                                                                                                                                                                                        

      # Password for private key                                                                                                                                                                                
      #   Possible values:                                                                                                                                                                                      
      #   - auto: automatically generated password, returned in config output;                                                                                                                                  
      #   - none: unencrypted private key;                                                                                                                                                                      
      #   - other values: other values are used directly as password                                                                                                                                            
      pkPassword: none                                                                                                                                                                                          

      # Specifies to recognize legitimate nodes by the distinguished names                                                                                                                                      
      # of the certificates. This can be a list of DNs, which can contain wildcards.                                                                                                                            
      # Furthermore, it is possible to specify regular expressions by                                                                                                                                           
      # enclosing the DN in //.                                                                                                                                                                                 
      # Specification of this is optional. The tool will always include                                                                                                                                         
      # the DNs of the nodes specified in the nodes section.                                                                                                                                                    
      #nodesDn:                                                                                                                                                                                                 
      #- "CN=*.example.com,OU=Ops,O=Example Com\\, Inc.,DC=example,DC=com"                                                                                                                                      
      # - 'CN=node.other.com,OU=SSL,O=Test,L=Test,C=DE'                                                                                                                                                         
      # - 'CN=*.example.com,OU=SSL,O=Test,L=Test,C=DE'                                                                                                                                                          
      # - 'CN=elk-devcluster*'                                                                                                                                                                                  
      # - '/CN=.*regex/'                                                                                                                                                                                        

      # If you want to use OIDs to mark legitimate node certificates,                                                                                                                                           
      # the OID can be included in the certificates by specifying the following                                                                                                                                 
      # attribute                                                                                                                                                                                               

      # nodeOid: "1.2.3.4.5.5"                                                                                                                                                                                  

      # The length of auto generated passwords                                                                                                                                                                  
      generatedPasswordLength: 12                                                                                                                                                                               

      # Set this to true in order to generate config and certificates for                                                                                                                                       
      # the HTTP interface of nodes                                                                                                                                                                             
      httpsEnabled: true                                                                                                                                                                                        

      # Set this to true in order to re-use the node transport certificates                                                                                                                                     
      # for the HTTP interfaces. Only recognized if httpsEnabled is true                                                                                                                                        

      # reuseTransportCertificatesForHttp: false                                                                                                                                                                

      # Set this to true to enable hostname verification                                                                                                                                                        
      #verifyHostnames: false                                                                                                                                                                                   

      # Set this to true to resolve hostnames                                                                                                                                                                   
      #resolveHostnames: false                                                                                                                                                                                  

###                                                                                                                                                                                                             
### Clients                                                                                                                                                                                                     
###                                                                                                                                                                                                             
#                                                                                                                                                                                                               
# Specify the clients that shall access your ES cluster with certificate authentication here                                                                                                                    
#                                                                                                                                                                                                               
# At least one client must be an admin user (i.e., a super-user). Admin users can                                                                                                                               
# be specified with the attribute admin: true                                                                                                                                                                   
#                                                                                                                                                                                                               
clients:                                                                                                                                                                                                        
  #- name: spock                                                                                                                                                                                                
  #  dn: CN=spock.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com                                                                                                                                     
  #- name: javatest07                                                                                                                                                                                           
    #dn: CN=kirk.example.com,OU=Ops,O=Example Com\, Inc.,DC=example,DC=com                                                                                                                                      
    #admin: true

I use this one certificate now for all the elements of my elk stack, but it does not work. Copied the public key to server2 for filebeat. Elasticsearch is reachable via "" I tried even "", but this does not worked.

This is the error i get when starting logstash:

@output_class=LogStash::Outputs::ElasticSearch>", :error=>"Host name 'localhost' does not match the certificate subject provided by the peer (CN=elkstack-server.com,DC=elkstack,DC=server,DC=com)"

My questions:

I think i need more then one certificate!?

filebeat -> logstash
logstash -> elasticsearch
kibana -> elasticsearch

Can i provide this certificates with one configuration.yml?

Hope someone could explain me this in a language that even me (as an absolute newbie) can understand this.

Thank you for your help in advance.