Does client verification require host based certificates?

sjne · April 28, 2020, 7:27pm

When using ssl_verify_mode: force_peer for client verification with Filebeat, does the client certificate need to be issued to the specific host name/IP? I.e the CN is the host name of the node.

For example can I use (in a test/dev environment) one self-signed certificate for all of my four Filebeat nodes for client verification with a Logstash instance? Or do the certificates need to be issued to each node separately (CN = host1; CN = host2 etc)? I tried looking for an answer in the docs but could find any, sorry. Thanks!

Badger · April 28, 2020, 10:18pm

That came up recently here. The name in the client certificiate is not checked.

Luca_Belluccini · April 28, 2020, 10:47pm

We also try to make sure this ends up in the documentation: https://github.com/logstash-plugins/logstash-input-beats/issues/317

Topic		Replies	Views
[mTLS][filebeat-logstash][beat-input-plugin] Client certificate hostname verification Beats beats-module , filebeat	7	1078	October 4, 2021
Logstash beat force_peer authentication doesn't check hostname info Logstash	3	489	May 25, 2020
Force_peer/peer option fails to validate client certificate Beats filebeat	6	2256	September 27, 2016
Logstash optional client cert authentication/validation Beats	1	495	March 31, 2018
Creating certificates for filebeat Beats filebeat	5	2037	July 5, 2017

Does client verification require host based certificates?

Related topics