We have a service that connects to Elasticsearch from C# and Python. We are using a reverse proxy with client certificate authentication. From C# we pull the certificate from the local store and include it with the request. I was never able to figure out how to do this from Python (see Connecting to Elasticsearch via Python with SSL and client certificate --> CERTIFICATE_VERIFY_FAILED). I ended up storing the certificate as a pem file and reading that in on the creation of the Elasticsearch client.
I am currently tasked with moving all of our secrets (i.e. keys, certs, connection strings, etc.) out of source code. I have moved everything to Azure KeyVault except the ES client cert in Python (because we access KeyVault with a cert, which again is the same problem). I found that i am able to access the cert
for cert in store.itercerts(usage=wincertstore.CLIENT_AUTH):
if cert.get_name() == "xxx":
cert_pem = cert.get_pem()
file = open("esCertTest.pem", "w")
file.write(cert_pem)
file.close()
return os.path.realpath(file.name)
This works, except... This is just the cert and does not inclde the private key, so the call to ES fails.
I need to find out one of the following:
- Can I get the private key from the cert I get from wincertstore?
- If not, by what method can I get a certificate in Python that does not involve storing any secrets in my source code?
Thanks,
~john