Configure SSL on Heartbeat with certificates in the system store

I deploy heartbeats on some Windows servers management by an external service provider. The beats collect the staus of service end points exposed by applications on several other hosts. The beats are configured with SSL.

Since the agents hosts are managed by a service provider it is a requirement each beat's ca-bundle, certificate and key is stored in the Windows host security system store. From the heatbeat documentation I learn that this can be done with the ca-bundle. How can I configure the beat to load the certificate and key from the Windows security system store?

BR
Flemming

We don't support the windows system store itself, but you can set a custom CA in the PEM format using the ssl options as documented here.

Hi @Andrew_Cholakian1

Thanks for information. Could you, please, clarify if Elastic is planning to support this feature in upcoming releases, or if I should fill a change request for it?

Our use case is that the service endpoints heartbeat pings are exposed on a secured network with strict requirements to the service providers. A service provider must configure the servers according to the requirements, which states the private key and the certificate must be store in the system store. Through the risks are low we would not comply to regulations by copying the key and the certificate to an other location on the file system. The ca-bundle is already in the system security store, but this is not enough for heartbeat to ping the endpoints.

BR
Flemming

Reading more about this, and diving a bit into golang's source I think heartbeat may already read the windows system store. Have you confirmed it does not?

If it doesn't you can just export the relevant root certs and give them to heartbeat explicitly. To clarify, you wouldn't need to copy the key, just the certificate. It would be terribly insecure to copy CA keys around!

In other words, you could make a new bundle just for heartbeat, or, if the certs are already in the right format, just point ssl.certificate_authorities for each monitor to that location.

I believe that this tutorial would probably work for exporting individual certs if that's something you'd need to do, but I'd verify that heartbeat isn't doing what you want already.

Hi Andrew;

Thanks for taking the time to investigating further.

Actually, I did not take a look at the source code before now. I just looked at the documentation.

I'll test your both of your suggestions and update this topic with the results.

BR
Flemming

Hi Andrew;

We have tested if heartbeat already supports reading the certificates in the system store as it does with the CA cert. We can confirm the GO language supports the feature. However, neither heatbeat or in general the beats due to the implementation lib beat do not support the feature.

So for the moment we have store the certificate on the filesystem outside of system security store. I believe the key has to be available to in order for the beat to sign the requests when the two systems negotiate the connection.

For a skilled go expert at Elastic I belive it would be minor task to add this feature to lib beat.

BR
Flemming

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

I agree this is something we could improve. Apologies for the delay. I've created [Heartbeat] Read certs in windows system store · Issue #29715 · elastic/beats · GitHub to track this issue.