Hello,
I have a pfx file from my IT dept to use in one of our environments, can I use that, or convert it to a format suitable for use with certutil?
Total noob question, sorry
Thank you,
Stephen
Hello,
I have a pfx file from my IT dept to use in one of our environments, can I use that, or convert it to a format suitable for use with certutil?
Total noob question, sorry
Thank you,
Stephen
A pfx file is Microsoft's name for a PKCS#12 file (the history is a little more complicated than that, but you can read it on Wikipedia if you care)
X-Pack supports PCKS#12 as of Elasticsearch v6.0 by treating them as a keystore
(or truststore
)
https://www.elastic.co/guide/en/elasticsearch/reference/6.0/security-settings.html#_pkcs_12_files_3
Hey Tim,
Thanks again for jumping in.
If I went that route, what would change in this documentation then? This blog post is becoming the basis for my deployment run-book, would you be able to tell me where the setup would differ? Sounds like I can use these files end to end too , correct?
Sorry for the delay in getting back to you.
If you want to convert PKCS#12 file to PEM format, you can, but you need to use openssl
.
certutil
doesn't have any file conversion functions.
For which purposes do you intend to use the certificate that your IT dept provided?
For anything within Elasticsearch you can just switch in ssl.keystore.path
everywhere the blog post suggests using ssl.certificate
and ssl.key
.
Depending on what's in the .pfx
file, you may also want to set ssl.truststore.path
instead of ssl.certificate_authorities
, but I can't be sure without knowing what your PKCS#12 file contains.
So:
xpack.ssl.key: certs/node1.key
xpack.ssl.certificate: certs/node1.crt
xpack.ssl.certificate_authorities: certs/ca.crt
could become
xpack.ssl.keystore.path: certs/elasticsearch.pfx
xpack.ssl.certificate_authorities: certs/corporate-ca.crt
or
xpack.ssl.keystore.path: certs/elasticsearch.pfx
xpack.ssl.truststore.path: certs/elasticsearch.pfx
or even
xpack.ssl.keystore.path: certs/elasticsearch.pfx
xpack.ssl.truststore.path: certs/corporate-ca.pfx
It just depends. Sorry I can't be more helpful. Setting up TLS can be not-too-painful if you get to control the whole process, but once corporate CAs get involved, it introduces a lot of variables, and it's hard to define a precise process.
I would start by looking at the contents of the pfx file. If you have access to openssl, then you can do:
openssl pkcs12 -in elasticsearch.pfx -nodes
If not, then java's keytool
can do an adequate (but not great) job:
keytool -list -keystore elasticsearch.pfx
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.