Certificate format for Kibana

Hi,

Note: Running ELK 7.9

I am trying to configure TLS in Kibana to try out the Alerts beta feature. By following the official documentation, the bin/elasticsearch-certutil csr tool will generate a cert in PEM format, but in the same article (step 2.b) it looks like I could (somehow) generate the cert in PKCS#12 format. Also in the same article you can find the following in the 3rd paragraph:

Kibana supports certificates and private keys in PEM or PKCS#12 format

In this other thread is explained that Kibana does not supports PKCS#12 format, so I am confused now.

  • Does Kibana supports (or not) certs in PKCS#12 format?
    • If YES, please show me how to make my config simpler.
    • If NOT, please update official documentation and remove step 2.b or parts stating that Kibana supports PKCS#12 format, to avoid confusion.

Thank you in advance

Update

After spending some time testing back and forward I was able to get it to work

  1. Kibana does support PKCS#12 format
  2. Make sure you have the following lines within your kibana.yml file
server.ssl.enabled: true
server.ssl.keystore.path: "/etc/kibana/certs/elastic-certificates.p12"
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/certs/elastic-stack-ca.p12" ]
elasticsearch.ssl.verificationMode: certificate
  1. If your certificate is not password protected, make sure to also add an empty string "" to the kibana-keystore. When prompt for a password, just leave in blank.

$ sudo /usr/share/kibana/bin/kibana-keystore add server.ssl.keystore.password --allow-root

  1. Restart kibana service
  2. You can now point your browser to https://[kibana_address]:5601

The above steps worked for me and I hope this help other users as well
Cheers!

Official documentation is correct. Also Tim was correct when he wrote that post in 2018, back then Kibana did not support PKCS#12 but now does.

Thank you very much for your clarifying explanation.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.