Generating A Certificate From The CA I Made Through Elasticsearch

Jared9922 · December 31, 2021, 1:29am

Hello,

I am about done setting up security going through this tutorial:

I am getting stuck here:
Send the kibana-server.csr certificate signing request to your internal CA or trusted CA for signing to obtain a signed certificate. The signed file can be in different formats, such as a .crt file like kibana-server.crt .

My question is how do I use the provdied certutil (or another provided Elastic Stack tool) To get a certificate from a csr. I have the csr generated now I am just trying to use my elastic-stack-ca.p12 to turn that csr into an actual certificate I can use.

Thanks In Advance

TimV · January 2, 2022, 12:19pm

You don't.

A CSR is only needed if you want your server's certificate to be issued by someone else (and for production usage, you almost certainly do want that).
If you want to use your own CA as the certificate issuer, then you should use ./bin/elasticsearch-certutil cert instead of csr.

Jared9922 · January 3, 2022, 7:01pm

EDIT: SOLVED
This makes more sense. Thanks for the detailed response. I have been trying to troubleshoot this issue for a bit and I have thought of a few solutions. Just wanted to see how to do them and which solution is recommended. Using the same tutorial as above what is the best way to encrypt traffic from Kibana to my browser. I am either trying to fill in these settings or fill in a different setting that doesn't require both of these settings (More explained below)

server.ssl.certificate: $KBN_PATH_CONF/kibana-server.crt
server.ssl.key: $KBN_PATH_CONF/kibana-server.key

Is there a way to put a setting inside of the kibana.yml that only requires me to put the .p12 file in rather than a certificate and keys? To my understanding by default the certutil generates a file that has the certificates and the keys in one file. How do I make Kibana only need this one file rather than two?

I have been looking at this guide: elasticsearch-certutil | Elasticsearch Guide [7.16] | Elastic but I can't seem to get the command right to separate the certificate and the keys. If I am on the right track and there is a command for this what would that command look like. I am looking at this paragraph:

By default, the cert mode produces a single PKCS#12 output file which holds the instance certificate, the instance private key, and the CA certificate. If you specify the --pem parameter, the command generates PEM formatted certificates and keys and packages them into a zip file. If you specify the --keep-ca-key, --multiple or --in parameters, the command produces a zip file containing the generated certificates and keys.

Thanks In Advance,
Jared

TimV · January 4, 2022, 2:53am

You should be able to do either of those.

You can use a PKCS#12 keystore with server.ssl.keystore.path provided that you're on a relatively recent version of Kibana (7.9 or higher, I think)
See: Configure Kibana | Kibana Guide [7.16] | Elastic

Or you can generate separate certificate and key files by passing -pem to elasticsearch-certutil
e.g.

./bin/elasticsearch-certutil cert -pem \
  -ca /path/to/stack-ca.p12
  -name kibana-server \
  -dns example.com,www.example.com

system · February 1, 2022, 2:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.