So I am doing a demo of Elastic SIEM. Everything is working fine using http. Only a one server setup. Basic minimum, testing using PoC Domain. I do for the future want to know how to create certs using our domain using AD CS. Setting up Kibana for https using an AD CS server looks straight forward. I am having a harder time understanding setting elasticsearch to use a cert from AD CS and importing it into Kibana. Since it is only one node i am guessing I don't need to care about creating a node cert. We use Openfaas to create the csr and generate the pks file key file and .cry file. So I don't really need to rely on any csr generation on the elastic server. I figure I just need to know where to put the pem format for the key, cert and certificate authority. Then what user and permissions is needed. I am guessing they go under /etc/elasticsearch/certs? What permissions is needed? Then I need to run the command to add the .key password. Point the elastic.yml to the files. Then how do I add any files I need for kibana to talk to elastic on https? Any help would be appreciated.
Sorry, it's not immediately clear to me what you're trying to do.
There are, realistically 3 sets of certificates that you might be asking about.
- If you enabled
httpsfor Kibana, then there is a server certificate (and key) for Kibana that is used when browsers connect to Kibana. - If you enabled
httpsfor Elasticsearch, then there is a server certificate (and key) for Elasticsearch that is used when clients (including Kibana) connect to Elasticsearch - If you enabled
httpsfor Elasticsearch, and you enabled client authentication then there is a client certificate (and key) for each client (including Kibana) that connects to Elasticsearch.
I believe you are saying that you have (1) under control, and are interested in (2). I don't think you are interested in (3).
For (2), there are instructions here.
You can skip step 1 of those instructions.
Place the .crt and .key files in somewhere within your configuration directory (probably /etc/elasticsearch/certs), make sure they are readable by the user that runs elasticsearch (probably elasticsearch) and configure elasticsearch.yml as follows:
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: /etc/elasticsearch/certs/es-http.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/es-http.crt
Then copy the signing chain (certificate authorities) somewhere that your Kibana user can read them, and then configure elasticsearch.ssl.certificateAuthorities
Thanks very helpful.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.