ElasticSearch服务端配置步骤：

生成Elasticsearch所需的证书

• 生成ca证书

bin/elasticsearch-certutil ca

• 生产es节点和java端证书

bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

其中elastic-stack-ca.p12是上一步生成的ca证书。
示例是p12格式，还支持pem格式。参考文档链接：
https://www.elastic.co/guide/en/elasticsearch/reference/6.8/configuring-tls.html#node-certificates

Java服务端导入证书

• 生成新的keystore库，也可以复用现有的，建议新生成

keytool -genkeypair -alias metrics -storepass "xxxx" -storetype JKS  -keystore d:\dev_tmp\tls\metrics.keystore

-keystore:指定新keystore生成的路径，java服务中需要用
-storepass:指定keystore的密码，java服务中需要用
详细文档：https://docs.oracle.com/javase/8/docs/technotes/tools/windows/keytool.html#keytool_option_genkeypair

• 导入ca证书

keytool -importcert -alias elastic-ca -file D:\dev_tmp\tls\ca\ca.crt -keystore d:\dev_tmp\tls\metrics.keystore

-keystore:上一步中指定路径

• 导入节点证书

keytool -importcert -alias elastic-java -file D:\dev_tmp\tls\java\java.crt -keystore d:\dev_tmp\tls\metrics.keystore

Java High Level Client示例代码

final CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
        credentialsProvider.setCredentials(AuthScope.ANY,
                new UsernamePasswordCredentials(esClientConfig.getUsername(), esClientConfig.getPassword()));    
            // es的用户名、密码        
        try {
            Path keyStorePath = Paths.get("D:\\dev_tmp\\tls\\metrics.keystore");//新生成的keystore文件路径
            String keyStorePass = "xxxx";//keystore库的密码，证书导入时的storepass参数
            KeyStore truststore = KeyStore.getInstance("jks");
            try (InputStream is = Files.newInputStream(keyStorePath)) {
                truststore.load(is, keyStorePass.toCharArray());
            }
            SSLContextBuilder sslBuilder = SSLContexts.custom().loadTrustMaterial(truststore, null);
            final SSLContext sslContext = sslBuilder.build();
            StringTokenizer esHosts = new StringTokenizer(esClientConfig.getHost(), ",", false);
            List<HttpHost> hosts = new ArrayList<>();
            while (esHosts.hasMoreTokens()) {
                String[] host = esHosts.nextToken().split(":");
                hosts.add(new HttpHost(host[0], Integer.valueOf(host[1]), "https"));
            }
            RestClientBuilder builder = RestClient.builder(hosts.toArray(new HttpHost[hosts.size()]));

            builder.setHttpClientConfigCallback(new HttpClientConfigCallback() {
                @Override
                public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpClientBuilder) {
                    httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider);
                    return httpClientBuilder.setSSLContext(sslContext);
                }
            });

            client = new RestHighLevelClient(builder);
        } catch (Exception e) {
            logger.error("build elastic search rest client failed!", e);
            throw new MetricsException("Building elastic search rest high level client failed!", e);
        }

crt转pem

openssl x509 -in mycert.crt -out mycert.pem -outform PEM

参考文档：
https://www.ibm.com/developerworks/cn/java/j-lo-socketkeytool/index.html?ca=drs