How to generate certificate to enable alerting in Kibana?


As documented here, I understand that there are 3 main steps / prerequisites to enable alerting in Kibana;

  1. Set up Kibana to work with Elastic Stack security features.
  2. Set up TLS encryption between Kibana and Elasticsearch.
  3. Specify a value for xpack.encryptedSavedObjects.encryptionKey .

I have a 3 node cluster. I generated elastic-stack-ca.p12 in one node, gave pass phrase, and copied it to all other nodes. Then I generated elastic-certificates.p12 in every node using the other elastic-stack-ca.p12 file. Then I copied elastic-stack-ca.p12 to config directory and created a certs inside that for elastic-certificates.p12. I believe I have completed step 1.

For step 2, I gave the below configurations in kibana.yml

elasticsearch.username: "kibana_system"
elasticsearch.password: "password" "1h" "30d"

I started kibana, and presented the login page, and the credentials works just fine. Now, as per the documentation, i was doing step 2, to Enable TLS on the HTTP layer in Elasticsearch . Now I have one Kibana node and 3 elasticsearch nodes. What all steps do I need to perform to generate certificates to integrate it with Kibana, so that I can proceed with alerting?

If any information is missing, I can provide it.


Actually, since you already generated certificates to encrypt communications between your cluster nodes on the transport layer, you can use the same certificates on the HTTP layer!

In each of your cluster nodes, add this to your elasticsearch.yml: true "/path/to/elastic-certificates.p12" "your keystore password"

Then, you need to extract the CA certificate so Kibana knows it can trust these server certificates. Run this command:

openssl pkcs12 -in elastic-certificates.p12 -cacerts -nokeys -out elasticsearch-ca.pem

Copy that PEM file over to your Kibana server, and add this to your kibana.yml:

elasticsearch.ssl.certificateAuthorities: ["/path/to/elasticsearch-ca.pem"]

Edit: as per the docs:

The Elasticsearch API key service is automatically enabled when you configure TLS on the HTTP interface. This ensures that clients are unable to send API keys in clear-text.

So you don't need to take any additional steps to enable the API key service once you've enabled TLS on the HTTP layer.

Thank you so much @jportner for sparing your valuable time in helping me :slightly_smiling_face:

You're very welcome!

1 Like