Encrypting the certificate key for SSL


(Ihjaz Mohamed) #1

Hi,

I've enabled SSL between Filebeat and Logstash. I have the following configuration
in my logstash.conf

input {
      beats {
        host => "10.129.179.39"
        port => 5044
        ssl => true
        ssl_certificate => "/etc/logstash/certs/first-cert.pem"
        ssl_key => "/etc/logstash/certs/key.pk8"
      }
    }

The above configuration works and the logs are getting pushed from filebeat to logstash.
But I can't store the private key without encryption on the server as anyone who has access to the server can get the private key and sign a certificate.

Is there a way I can pass the private key to logstash in an encrypted form ?


(Ihjaz Mohamed) #2

Hi,

I figured out that we can use ssl_key_passphrase to decrypt an encrypted private key.

ssl_key_passphrase => "admin"

But it seems like I need to give the passphrase in plain text as shown above and anyone who looks at this config file can see it.

Is there a way to hide this passphrase ?


(Ihjaz Mohamed) #3

Hi,

I have the following configuration now with ssl_key_passphrase.

input {
  beats {
    host => "10.129.179.39"
    port => 5044
    ssl => true
    ssl_certificate => "/etc/logstash/certs/first-cert.pem"
    ssl_key => "/etc/logstash/certs/enc_key.p8"
    ssl_key_passphrase => "admin"
  }

}

I have encrypted key.p8 as follows with admin as key phrase.

openssl rsa -aes256 -in key.p8 -out enc_key.p8

But with the encrypted key file and passphrase configured, I am seeing the following error in logstash logs.

[2017-09-14T21:57:05,709][ERROR][logstash.inputs.beats ] Looks like you either have an invalid key or your private key was not in PKCS8 format.

Has anyone here run into this issue? Have you tried ssl_key_passphrase?


(Ihjaz Mohamed) #4

Hi,

I figured this out. It has to be a PKCS#8 encryption. The ssl_key_passphrase works only for decrypting the PKCS#8 encryption.

openssl pkcs8 -in key.pem -topk8 -passout pass:admin -out p8key.pem


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.