PKI chain realms

I want to add two PKI authentication realms in order to map each one to a specific role-mapping. I know I can create a realm chain, but I'm in need of help with setting up my secondary PKI realm using the OU name. For example, the PKI users PKI will look something like this:

CN=Doe John D,OU=People,OU=Google,OU=ITAdmin,OU=IT,O=U.S.

I'm looking to authenticate all users with OU=ITAdmin to a specific role mapping. I've already created the role mapping.

Why do you want to do this with 2 realms? Do you have 2 different CAs?

@TimV I want to do 2 realms so users can automatically be assigned a role-mapping based on a specific OU group in their PKI. I know I can add user's individually explicitly, but that can become a little tedious with over 100 users. In addition, we're not using LDAP or Active Directory which could also probably be useful in assigning a group of users to a role-mapping. I saw in the Elastic docs where you could specify two LDAP realms in the Realm chain, but just wanted to know if this was possible using the PKI realm. I've created two spaces where one is for a specific user, and a general space where any user with PKI can automatically access. The general PKI authentication works for the general space, but I would like to also have users to authenticate against a second PKI realm if they meet a certain criteria which in this case based on the OU.

@TimV question, instead of mapping the full subject name to a role-mapping is it possible to do something like below?

curl -k -XPUT -u elastic https://localhost:9200/_security/role_mapping/<role-mapping name> -H "Content-Type: application/json" -d '{
  "roles" : [ "<role-mapping>" ],
  "rules" : {
    "field" : {
      "dn" : "OU=ITAdmin"
  "enabled": true

I see there is a way to create user_dn_templates for LDAP realm, is there something similar in PKI realm? Something like cn={0},OU=People,OU=Google,OU=ITAdmin,OU=IT,O=U.S.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.