I am currently trying to generate a certificate that will allow us to connect to kibana from a remote browser with the FQDN subdomain.domain.com. I am having trouble finding a way to for the browser to find the CA certificate without installing on the end user pc.
The commands I use are: elasticsearch-certutil ca elasticsearch-certutil cert --ca elastic-stack-ca.p12
I then create a certificate in PEM Format: elasticsearch-certutil cert --ca elastic-stack-ca.p12 --dns subdomain.domain.com --ip public ip --name subdomain.domain.com --pem
I have also tried using the same CN as the CA certificate but get the same result.
The Root Ca is missing off the chain until you install it on the end user pc.
I am deploying the FQDN to a group of users and I need to make it as basic as possible to access Kibana without the need to install certificates.
I could be missing some extremely obvious so any advise or guidance would be extremely appreciated.
In summary, browsers and operating systems come bundled with a list of CA certificates and they trust the certificates that are signed by these CA certificates. Obviously, the CA certificate that you generate with elasticsearch-certutil ca is not one of these CA certificates that browser trust and when you create the subdomain.domain.com certificate and sign it with this CA, the clients that try to connect to it, do not trust it.
Your options are to
a) Ship the CA certificate and have the users install it in their browsers so that they can trust the kibana certificate
b) Get a certificate for kibana that is signed by a known and well trusted CA which your users browsers will be trusting already. See for instance, the list of CAs that firefox and chrome trust by default
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.