Configuring Kibana with SSL; how to define passphrase for the private key?

I'm going through the steps of configuring Kibana via kibana.yml to use SSL for the accessing clients:

# SSL for outgoing requests from the Kibana Server (PEM formatted)
#ssl_key_file: /path/to/your/server.key
#ssl_cert_file: /path/to/your/server.crt
ssl_cert_file: D:\certs\KibanaCert.crt
ssl_key_file: D:\certs\KibanaCert.pem

How do you specify the passphrase for the private key?

There isn't a way to specify a passphrase. Most people remove the passphrase from their keys using OpenSSL.

openssl rsa -in www.key -out new.key

Yeah, I did that to get it working, but I'm not a fan of it as a long-term solution.

What would you prefer for a long term solution?

For systems that need to be automatically started without human intervention the options I know about are:

  • Passphraseless SSL Key
  • Store passphrase in config and pass as an argument to TLS server (just as insecure as first scenario)
  • Prompt user for passphrase (doesn't scale and requires human intervention or requires an expect script with passphrase; which is also insecure)