Converting self signed certificate to ones from 3rd party - Kibana server

Waxman · December 2, 2020, 5:16pm

Hello People,
I'm using elk stack running on 7.9.2 version. Now I use self signed certificates, generated by certutil built-in elasticsearch (bin/elasticsearch-certutil cert)
I have a few questions about certificates:

How can I convert existing ca.crt (self signed) for CSR request (3 rd party certificate and key)
Can I use self signed CA authority for Elastic Nodes and own certificate for Kibana server ? (I suppose yes)
Just confirm my thinking: when I have two hosts with kibana instances (two nodes of kibana) I may use one certificate for both when SAN specifies two different FQDN : kibana01.xxx.xx and kibna02.xxx.xx - then I can use some laodbalancer between them and use this certificate.

TimV · December 3, 2020, 12:13am

In terms of actual certificates, you can't. There's no practical way to reissue a certificate with a different CA.
You can reuse the underlying key to generate a CSR (although not with certutil, you'd have to use openssl), but I don't think that would have any practical benefit.

That other was to answer your question is When I get new certificates how do I switch to them?, which depends a little bit on your setup.
Technically, it's just a matter of switching things in elasticsearch.yml, but if you have clients connecting, then they need to be prepared for the change, and if you are switching your internode (transport.ssl) certificates, then you either need a full restart, or a planned out migration path to upgrade using rolling restarts.

There's actually 3 set of certificates:

Certificates that the Elasticsearch nodes use to connect to each other (xpack.security.transport.ssl in elasticsearch.yml)
Certificates that the Elasticsearch nodes use for the REST API (xpack.security.http.ssl in elasticsearch.yml)
Certificates that Kibana uses for its UI & API (in server.ssl in kibana.yml)

For (1) we strongly recommend that you use a dedicated CA specifically for that purpose. It provids the strongest protections about cluster membership.
For (2) and (3) it can be helpful to use a third party CA (either a public CA or an internal corporate CA) so that you minimise the amount of trust config that your clients (web browsers and ES Rest clients) need.

It depends on what sort of Load-Balancer you use

If your load balancer operates at the http/s level (an "Application Load Balancer" or "Layer 7 Load Balancer" or "Reverse Proxy") then it will terminate the TLS connection itself and as far as the browsers are concerned, it's the certificate installed into the Load Balancer that matters.
You will need to decide what the TLS connection between the load balancer and Kibana will look like and for that, you can use a single cert with 2 DNS SANs, but there are other options, depending on what your load balancer supports.

If your load balancer operates at the TCP/IP level (a "Network Load Balancer" or "Layer 4 Load Balancer") then it will just route packets to the Kibana servers directly, and each Kibana server will need to have a certificate with a SAN that matches the FQDN that your users use to connect (like kibana.xxx.xx) - as far as the web browsers are concerned there's only 1 server to talk to, so each Kibana needs to act like it's that server on that shared URL.

Waxman · December 3, 2020, 7:56am

Thanks a lot TimV !
You did great job. May I have few more questions?
1.Let's say I will use new cert fo Kibana and it's UI/API. Now i've got such configuration:

server.ssl.certificate: /usr/share/kibana/config/certs/kibana01/kibana01.crt
server.ssl.key: /usr/share/kibana/config/certs/kibana01/kibana01.key
elasticsearch.ssl.certificateAuthorities: [ "/usr/share/kibana/config/certs/ca/ca.crt" ]
elasticsearch.ssl.verificationMode: certificate

So to do that I need replace kibana01/02.crt and kibana01/02.key with 3rd party certificate and key, right ?
For CSR request I may use certutil with the option:

bin/elasticsearch-certutil csr --silent --in config/certificates/instances.yml -out /certs/bundle_csr.zip

and in instaces.yml I will put my two kibana's instances:

instances:
  - name: 'uelkkib01d.upc.pl'
    dns:
      - kibana01.xxx.xx
      - kibana02.xxx.xx

and finally I need receive right cert and key from the different CA. Is that correct ? This key and cert will be use via loadbalancer (KEMP) which will balance both kibanas on https://kibana.xxx.xx
2. Can I replace certs and key's for all nodes when I will generate via certutil but on a different cluster. Let's say I have two clusters: A and B. I will use instances.yml from A to generate certs/keys for A but via B (hope its clear). Will these keys/certs generated on B are usable on A ?

Waxman · December 9, 2020, 3:35pm

Waxman:

1.Let's say I will use new cert fo Kibana and it's UI/API. Now i've got such configuration:
server.ssl.certificate: /usr/share/kibana/config/certs/kibana01/kibana01.crt
server.ssl.key: /usr/share/kibana/config/certs/kibana01/kibana01.key
elasticsearch.ssl.certificateAuthorities: [ "/usr/share/kibana/config/certs/ca/ca.crt" ]
elasticsearch.ssl.verificationMode: certificate
So to do that I need replace kibana01/02.crt and kibana01/02.key with 3rd party certificate and key, right ?
For CSR request I may use certutil with the option:
bin/elasticsearch-certutil csr --silent --in config/certificates/instances.yml -out /certs/bundle_csr.zip
and in instaces.yml I will put my two kibana's instances:
instances:
  - name: 'uelkkib01d.upc.pl'
    dns:
      - kibana01.xxx.xx
      - kibana02.xxx.xx
and finally I need receive right cert and key from the different CA. Is that correct ?

Maybe the answer of the question will help someone else:
ad1. We can use for kibana server ssl completely different certificates, they don't need to be generated via certutil (it might be openssl)

Ad 2. Acctually it's possible but probably not real, cause we need to use same names for cluster A & B (see instances.yml):

system · January 6, 2021, 3:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.