Elasticsearch ca certificate not found when connecting via browser

I am currently trying to generate a certificate that will allow us to connect to kibana from a remote browser with the FQDN subdomain.domain.com. I am having trouble finding a way to for the browser to find the CA certificate without installing on the end user pc.

The commands I use are:
elasticsearch-certutil ca
elasticsearch-certutil cert --ca elastic-stack-ca.p12

I then create a certificate in PEM Format:
elasticsearch-certutil cert --ca elastic-stack-ca.p12 --dns subdomain.domain.com --ip public ip --name subdomain.domain.com --pem
I have also tried using the same CN as the CA certificate but get the same result.
The Root Ca is missing off the chain until you install it on the end user pc.

I am deploying the FQDN to a group of users and I need to make it as basic as possible to access Kibana without the need to install certificates.

I could be missing some extremely obvious so any advise or guidance would be extremely appreciated.

This is how web PKI works, a good resource to gain some further understanding is https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates.

In summary, browsers and operating systems come bundled with a list of CA certificates and they trust the certificates that are signed by these CA certificates. Obviously, the CA certificate that you generate with elasticsearch-certutil ca is not one of these CA certificates that browser trust and when you create the subdomain.domain.com certificate and sign it with this CA, the clients that try to connect to it, do not trust it.

Your options are to
a) Ship the CA certificate and have the users install it in their browsers so that they can trust the kibana certificate
b) Get a certificate for kibana that is signed by a known and well trusted CA which your users browsers will be trusting already. See for instance, the list of CAs that firefox and chrome trust by default

Fantastic, Thanks ikakavas for your assistance. I will explore the options

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.