Creating P12 certificates in a github workflow

tdvo1996 · May 6, 2024, 1:26pm

Hi, we would like to implement a rotation of P12-certificates using github workflows.

Let's say you have a CA certificate. Would it be possible, in a github workflow, to use a public Elasticsearch docker image to create password signed P12 certificates?

The CA certificate will be fetched from Azure Key Vault and mounted to a folder on a private github runner. Then the CA will be mounted to a folder on the docker container to be used to create P12 certificates. Is it possible? And how would that docker command look like?

Artem_Shelkovnikov · May 6, 2024, 3:17pm

Hi @tdvo1996,

Just to check - where does Elasticsearch stand in the question? Only to create certificates?

tdvo1996 · May 7, 2024, 7:52am

Yes, it's for configuring elastic with xpack security. I'm trying to automate configuring elastic as much as possible. For example using github workflows and ansible to rotate certificates.

Artem_Shelkovnikov · May 7, 2024, 9:24am

I see, I've moved this topic into Elastic Stack - Elasticsearch section so that you can get more visibility on your question from Elasticsearch team.

tdvo1996 · May 7, 2024, 9:48am

I tried posting on elastic stack first, but I wasn't able to do it. The "New Topic"-button was greyed out, but thanks!

TimV · May 8, 2024, 6:58am

Not if all you have is a CA certificate. You need a copy of the CA private key in order to be able to issue new certificates.

tdvo1996 · May 8, 2024, 7:32am

Ah, I see. What if you have a ca in the form of a p12 certificate, and then spin up a n elastic docker image to run this command:

./elasticsearch-certutil cert --ca /etc/elasticsearch/cert/p12/elastic-stack-ca.p12 --in /usr/share/elasticsearch/bin/instances.yml --out certs.zip?

Something like this:

 docker run --rm \
            -v ./certs:/usr/share/elasticsearch/config/certs \
            -v ${{ inputs.instances_file_path }}/instances.yml:/usr/share/elasticsearch/config/instances.yml \
            docker.elastic.co/elasticsearch/elasticsearch:8.11.2 \
            elasticsearch-certutil cert --ca /usr/share/elasticsearch/config/certs/elastic-stack-ca.p12 \
            --in /usr/share/elasticsearch/config/instances.yml \
            --out /usr/share/elasticsearch/config/certs/certs.zip -ca-pass "$pwd" --pass "$pwd"

I'm fairly new to configuring elastic, so correct me if I say anything incorrect.

tdvo1996 · May 30, 2024, 1:56pm

Hm, let's say I have everything I need to create P12 certificates. Is it possible to rotate P12 certificates with github actions?

leandrojmp · May 30, 2024, 2:05pm

Not sure how this related to any tool in the stack.

How you create or update the certificates used doesn't matter, you just need to make sure that the configuration is pointing to the correct certificates, but how you do that on Github Action is unrelated to Elasticsearch.

You also do not need to use elasticsearch-certutil to create any certificates, you can for example use openssl to create it.

I have a compose that spin-ups a local SIEM using Elastic + Kibana + Fleet for some testing and I use the following to create the certificates in PEM format.

  certs:
    image: ubuntu:24.04
    container_name: certs
    volumes:
      - ./certs:/usr/share/certs:z
    command: >
      bash -c '
        cd /usr/share/certs;
        if [ -f certs.exist ]; then
          echo "certificados já criados"
          exit 0;
        fi;
        apt update && apt install -y openssl;
        # ca
        openssl genrsa -out ca-siem-key.pem 2048
        openssl req -new -x509 -sha256 -key ca-siem-key.pem -subj "/C=BR/ST=RJ/L=RIO DE JANEIRO/O=LAB/OU=SIEM" -out ca-siem.pem -days 1830
        # elasticsearch + kibana + fleet
        openssl genrsa -out siem-key.tmp 2048
        openssl pkcs8 -inform PEM -outform PEM -in siem-key.tmp -topk8 -nocrypt -v1 PBE-SHA1-3DES -out siem-key.pem
        openssl req -new -key siem-key.pem -subj "/C=BR/ST=RJ/L=RIO DE JANEIRO/O=LAB/CN=SIEM" -out siem.csr
        echo "subjectAltName=DNS:elasticsearch, DNS:kibana, DNS:fleet, DNS:localhost" > siem.ext
        openssl x509 -req -in siem.csr -CA ca-siem.pem -CAkey ca-siem-key.pem -CAcreateserial -sha256 -out siem.pem -days 1830 -extfile siem.ext
        chmod 640 *.pem
        rm -f *.ext
        rm -f *.tmp
        rm -f *.csr
        rm -f *.srl
        touch certs.exist
      '
    networks:
      - siem

system · June 27, 2024, 2:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elasticsearch-certutil - can it access keystore? Elasticsearch elastic-stack-security	2	661	June 25, 2019
Creating http.p12,tranport.p12 from a signed CSR for Elasticsearch Elasticsearch elastic-stack-security	5	4203	December 25, 2022
ElasticSearch renew certificate errors Elasticsearch elastic-stack-security , docker	2	145	May 17, 2024
Using certificates from Certificate Authority instead of Self-Signed Certificates Kibana elastic-stack-security , docker	2	267	August 10, 2021
I'm trying to move my elastic stack to 7.16.2 (from 6.8.22) in docker-compose - but fails to get certificates generated Elasticsearch elastic-stack-security , docker	6	854	February 1, 2022

Creating P12 certificates in a github workflow

Related topics