How to generate a server certificate for Kibana?

(Li Jessen) #1

In, it says:

Generate a server certificate for Kibana.

You must either set the certificate’s subjectAltName to the hostname, fully-qualified domain name (FQDN), or IP address of the Kibana server, or set the CN to the Kibana server’s hostname or FQDN. Using the server’s IP address as the CN does not work.

But how to generate the server certificate?

(Joe Fleming) #2

The Kibana docs gloss over that part apparently, but the elasticsearch docs go into detail about it. In general, openssl will work, but there's a lot of steps. Anything you can use to generate a valid X.509 certificate should work though.

As mentioned in those docs, we have a cert generation tool, called elasticsearch-certutiledit you can use as well, which is probably easier than just using openssl directly. You can read more about that in the docs here too.

Once you have the cert, you can follow the Kibana docs to actually start using it.

(Li Jessen) #3

Should I generate a new server certificate for Kibana? Since I am deploying both Elasticsearch and Kibana in the same machine, can I use the same certificate that I generated for Elasticsearch node?

BTW, is the server certificate indispensable for TLS/SSL communication?

(Joe Fleming) #4

I think you can use the same cert for both, depending on how the cert was set up. It's been a long time since I've personally set up a cert, but if you use the same hostname (or a wildcard one), and it's valid for all ports on that host, then it should work. I'm not sure if it's "good practice" or not though, you'll have to find that answer yourself.

BTW, is the server certificate indispensable for TLS/SSL communication?

If you're asking if you need a certificate for SSL, the answer is yes.

(Li Jessen) #5

No. I tried using the same certificate and key as that of elasticsearch but it failed since kibana app can't parse them. I tried other ways and made it work.

(system) closed #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.