PKI authentication with shield - client certificate not requested


I'm trying to configure shield with PKI user authentication.
SSL seems to be configured and working properly (e.g. I can query over https).

When I configure a realm chain with PKI it appears that a client certificate is not requested during the SSL handshake. Any idea what might be causing it?

This is my elasticsearch.yml:

script.engine.groovy.inline.aggs: on
shield.ssl.keystore.path: C:\elasticsearch-2.3.3\elasticsearch-2.3.3\config\shield\keyStore.jks
shield.ssl.keystore.password: password
shield.ssl.truststore.path: C:\elasticsearch-2.3.3\elasticsearch-2.3.3\config\shield\keyStore.jks
shield.ssl.truststore.password: password
shield.transport.ssl : true
shield.http.ssl: true
type: pki
username_pattern: CN=(.*?)(?:,|$)


I also have encountered the same problem. Couldn't find why I don't see any sign for client authentication using PKI and I have almost the same configuration. I can see three way SSL handshake and all steps of key exchange but not client authentication. Would also love to get some insights about this issue.

Mystery solved -
shield.http.ssl.client.auth: optional

See full documentation here:

Geez, I'd expect this to be in the PKI tutorial... :S

1 Like