Elasticsearch 7.6 TLS/SSl Organization signing certificate

Ahmed_Abdulaleem · April 7, 2020, 8:03pm

Dears,

Kindly, I need your support where elastic search 7.6 documentation does not cover using an organization signing certificate .

if I use my organization signing certificate does the generated CSR's by certutils should contain public IP's and public DNS's or can I use our private IP 's, local DNS's (Elasticsearch nodes private not public)
is the xpack.security.transport.ssl.certificate_authorities a mandatory where my organization can not provide me with it's CA.

xpack.security.transport.ssl.enabled: true

xpack.security.transport.ssl.verification_mode: full

xpack.security.transport.ssl.key: /etc/elasticsearch/node01.key

xpack.security.transport.ssl.certificate: /etc/elasticsearch/node01.pem

#xpack.security.transport.ssl.certificate_authorities: [/etc/elasticsearch/node01.pem"]

Ahmed_Abdulaleem · April 9, 2020, 11:40am

Hello @ikakavas,
please can you advise me regarding this question

ikakavas · April 9, 2020, 11:58am

Thanks very much for your interest in Elasticsearch.

Please be patient in waiting for responses to your question and refrain from pinging multiple times asking for a response or opening multiple topics for the same question. This is a community forum, it may take time for someone to reply to your question. For more information please refer to the Community Code of Conduct specifically the section "Be patient". Also, please refrain from pinging folks directly, this is a forum and anyone that participates might be able to assist you.

If you are in need of a service with an SLA that covers response times for questions then you may want to consider talking to us about a subscription.

ikakavas · April 9, 2020, 12:06pm

There is no difference whether you sign this with an Organization CA or a public CA. Maybe I misunderstood your question, but why would that matter ?

is the xpack.security.transport.ssl.certificate_authorities a mandatory where my organization can not provide me with it's CA.

Yes it is. The CA certificate is meant to be public and distributed to entities so that they can verify the certificates that this CA is signing, so in order to use certificates that are signed by this CA, you either need this CA certificate or you need to disable certificate verification which is highly discouraged.

Ahmed_Abdulaleem · April 9, 2020, 9:38pm

Thank You very much @ikakavas

system · May 7, 2020, 9:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.