Hi, I'm new here and I have some questions.
I need to install a client generated certificate on your linux server.
Its format is PFX, how do I convert it to an acceptable format?
Another point, should it be installed in the kibana or elastic folder?
It's the first time I perform the installation and I found the documentation a bit confusing.
PFX is PKCS#12 format. Elasticsearch supports P12 or PEM, Kibana only supports PEM.
Config files need to go in the config directory of each application. Elasticsearch and Kibana are locked down to only have access to their config directories.
Use openssl examples from docs to export P12 contents into individual PKCS#8 Key and X.509 Certificate files. In general, text (PEM) or binary (ASN1 DER) can be supported, but Elastic applications use PEM.
Blog with examples: Elasticsearch Security: Configure TLS/SSL & PKI Authentication | Elastic Blog
In general, different TLS use cases require different certificates. If you are configuring TLS manually in Elasticsearch and Kibana, you need a minimum of 2 different certs.
Recommended for minimum TLS security:
- Elasticsearch Transport client+server
- Elasticsearch HTTP server
- Kibana HTTP server
Certs for 1 should be issued by a private CA, because these certs are for internal node-to-node clustering. Public trusted certs are not desirable, and public CAs generally don't issue TLS client certs, so use elasticsearch-certutil for this mTLS cert (aka TLS mutual authentication).
Certs for 2 and 3 should be issued by a public CA, or enterprise CA, because these certs are for HTTPS clients to trust TLS servers. Separate certs can be used if Kibana and Elasticsearch are deployed on different servers. However, a single cert could be used if it contains a SAN dnsName with a wildcard, or separate dnsName entries for each server address.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.