The CA I've exported from our Microsoft Enterprise CA but it's a Two Tier authority with a Root and Subordinate. This means the CA certificate is a chain (containing the Root and Sub certificates).
When I try to create the http certificates I can't use this CA certificate as it's a chain. What do you do if your CA is a chain? I can't see any documentation on this?
I'm sorry, you need to give more detail or we're just guessing about what problem you're running into.
What are you trying to use certutil for? How are you invoking it? What is the error message.
I am surprised that you're trying to use certutil at all - if you're using Microsoft certificate tooling then I would expect that you'd just stick with that and generate certificates there.
I'm using certutil on elastic to generate the csr which I then sign with the MS CA. I'm following the documentation I linked at step 3. I can't generate the http certificates as elastic tells me it doesn't support certificate chains as the ca.crt.
I've exported my Subordinate Root CA cert and key from my Windows subordinate CA. I've then placed these files in /etc/elasticsearch/certs/ca. I've then run the command to import the ca into the keystore.
This appears to work ok. I've then generated certificates for the transport layer following Step 2 of the documentation posted earlier. This uses certutil to generate the csrs (including any SANS/IPs) which I then pass to the Windows CA for signing. The resulting certificates are then stored in /etc/elasticsearch/certs and referenced in the elasticsearch.yml.
Respond to the command prompts as follows:
*** When asked if you want to generate a CSR, enter n.**
*** When asked if you want to use an existing CA, enter y.** If you’re using your organization’s CA certificate, specify that certificate and key in the following two steps.
The elasticsearch http tool then asks me to specify the location of the existing ca file. I enter /etc/elasticsearch/certs/ca/ca.crt
I receive the error:
The file at /etc/elasticsearch/certs/ca/ca.crt contains multiple certificates. This type of file typically represents a certificate-chain
This tool requires a single certificate for the CA
Error: /etc/elasticsearch/certs/ca/ca.crt: Unsupported file type (certificate chain), with exit code 65
As I mentioned earlier, if you have existing certificate tooling (your Microsoft suite) then that is usually the best option. There is absolutely no requirement to use elasticsearch-certutil, and if you do chose to use it, then you may prefer to generate a CSR that you can fulfill in your MS tooling instead of exporting the CA from the Microsoft CA manager.
That recommendation is from both a convenience point of view (stick with one set of tools that you know well) and a security point of view (exporting CA keys and using them in multiple places is likely to lead to them being accidentally leaked).
If you really want to use elasticsearch-certutil to generate your certificates then you're going to need to edit the ca.crt file so that it contains only a single certificate.
Your ca.crt probably looks something like the example at the bottom of this post.
It contains two certificates separated by -----BEGIN and ----END markers. Typically the first certificate will be your intermediate (subordinate/signing) cert, and the second certificate will be the root.
You just need to copy the first certificate into a separate file and point elasticsearch-certutil at that file instead.
I've done exactly as you've suggested and elasticsearch doesn't start with a bad_certificate error.
Is there any documentation anywhere as to how to configure elasticsearch using a Microsoft (or other) CA?
I'm assuming I can just use the certutil tool to generate the csrs for each node, kibana and fleet and then just stick the certs as pem format somewhere and then reference in the .yml. I can ignore all the keystore stuff at that point.
I've managed to get Elasticsearch running by just using PEMs. However it doesn't seem to be documented anywhere that you can't use certificate verification without having a specific certificate template created by your CA. The MS webserver template doesn't include client authentication by default. It would be good if the certificate requirements were documented somewhere (did I miss it?).
Also in Elasticsearch.yml you can specify the /etc/elaticsearch/certs directory with just /certs/. In Kibana you appear to have to put in the full path, /certs/ doesn't seem to work. Is that right?
I'm now trying to secure the Fleet server but it appears you have to start again with Fleet as there is no documented method to update the installation to use certificates?
What's in ca.crt is it the chain or just the root cert?
What I would normally do in your case is:
configure ES to send the whole chain (or at least the leaf & intermediate)
configure clients to trust the root only.
Configuring ES to use the chain can be done by concatenating the certificates together and using that chained certificate file for xpack.security.http.ssl.certificate
You can follow the steps here
The ca.crt has both the Root and Subordinate certificate in.
I assume I don't need to add the chain to the ES certs if the ca.crt already includes both the root and sub?
Certs are currently working for ES and Kibana, I can't turn on Full or Certificate validation though without getting errors about not being able to verify the certs.
Just having issues connecting Fleet (results in Error - x509: certificate signed by unknown authority). This error is seen on the fleet server and on my primary elasticsearch server.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.