Does client verification require host based certificates?

sjne · April 28, 2020, 7:27pm

When using ssl_verify_mode: force_peer for client verification with Filebeat, does the client certificate need to be issued to the specific host name/IP? I.e the CN is the host name of the node.

For example can I use (in a test/dev environment) one self-signed certificate for all of my four Filebeat nodes for client verification with a Logstash instance? Or do the certificates need to be issued to each node separately (CN = host1; CN = host2 etc)? I tried looking for an answer in the docs but could find any, sorry. Thanks!

Badger · April 28, 2020, 10:18pm

That came up recently here. The name in the client certificiate is not checked.

Luca_Belluccini · April 28, 2020, 10:47pm

We also try to make sure this ends up in the documentation: https://github.com/logstash-plugins/logstash-input-beats/issues/317

system · May 26, 2020, 10:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[mTLS][filebeat-logstash][beat-input-plugin] Client certificate hostname verification Beats beats-module , filebeat	7	976	October 4, 2021
Logstash beat force_peer authentication doesn't check hostname info Logstash	3	457	May 25, 2020
Tls verification_mode, custom validation options? Beats journalbeat	4	1097	November 4, 2022
Filebeat clients specified by ip addresses for 'force_peer' Beats filebeat	3	603	October 26, 2018
Filebeat ssl connection fail with CERT using Subject Alternative Name Beats filebeat	5	2572	July 5, 2017

Does client verification require host based certificates?

Related Topics