I'm trying to setup PKI for user authentication on the http layer but I always get a "missing authentication credentials for REST request [/_security/_authenticate?pretty]"
After checking the documentation, here are the steps I took:
Downloaded ES and activated the trial. I can now see 'Active license is now [TRIAL]; Security is enabled' on the logs
elasticsearch-certutil ca elasticsearch-certutil cert --ca C:/es/elasticsearch-7.6.2/elastic-stack-ca.p12
For the steps above, I kept the default filenames but I added passwords. I also copied the file to <es_dir>/config/certs
- Added the following to elasticsearch.yml:
xpack.security.enabled: true xpack.security.http.ssl.enabled: true xpack.security.http.ssl.keystore.path: C:/es/elasticsearch-7.6.2/config/certs/elastic-certificates.p12 xpack.security.http.ssl.client_authentication: optional xpack.security.authc.realms.pki.pki1.order: 1
- added the password from step 2 to the ES keystore with:
elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
At this point I can start Elasticsearch and when I access to https://localhost:9200, I get a request to enter username and passwords.
- Create a client certificate
elasticsearch-certutil cert --ca C:/es/elasticsearch-7.6.2/elastic-stack-ca.p12 -name "CN=something,OU=Consulting Team,DC=mydomain,DC=com"
The command above generates a 'client.p12' file
openssl pkcs12 -in client.p12 -nocerts -nodes > client.key openssl pkcs12 -in client.p12 -clcerts -nokeys > client.cer openssl pkcs12 -in client.p12 -cacerts -nokeys -chain > client-ca.cer
- For testing I used the following command:
curl https://localhost:9200/_security/_authenticate?pretty --key client.key --cert client.cer --cacert client-ca.cer -k -v
If I use the -u option in the curl command, I get a successful response. Does that mean that the certificates are incorrect? Do you know what am I missing?