Trouble enabling SSL on Kibana

RHEL7 Elastic Stack 6.7.1 Not using X-Pack. (following this guide)

I'm having trouble configuring SSL on Kibana over 5601. First I generated a key and then I generated a CSR and sent it to the CA. I retrieved the cert and have two available certs. Base 64 encoded and Base 64 encoded with CA certificate chain in pkcs7 format.

I retrieved both, put the Base64 in a mycert.cer file, put the pcks7 one in a mycert.p7b file. Converted the pcks7 into pem with

openssl pkcs7 -print_certs -in /etc/kibana/certs/mycert.p7b -out /etc/kibana/certs/mycert.pem

I put/made sure that .key, .cer and .pem were in the /etc/kibana/cert folder and changed ownership:group to kibana.

in kibana.yml I put

server.ssl.enabled: true 
server.ssl.key: /etc/kibana/certs/mycert.key 
elasticsearch.ssl.certificate: /etc/kibana/certs/mycert.pem

Originally i created the CSR with a CN of


then after it failed i created one with


When I try to start Kibana i get an error message of:

digital envelope routines:EVP_DecryptFinal_ex:bad decrypt

In trying to search on the subject I see that it can be caused by incompatible OpenSSL versions - but i'm on the same system so that seems unlikely.

to add to this, i created a self-signed ca and cert to use and it worked fine. When I compare the self-signed ca-cert to the PKCS7 one it's quite a bit different, the PEM converted PKCS7 contains the system cert, and all intermediate ones.

Based on you're update I am not quite sure if you got this working or are still looking for assistance.

at the update I did, but since then i solved it.

I believe the error part was I didn't have the -ext properly set.

I recreated the Key and CSR (my CA must love me) following this strictly

keytool -genkey                  \
        -alias     node01        \ 
        -keystore  node01.jks    \ 
        -keyalg    RSA           \
        -keysize   2048          \
        -validity  712           \

then the CSR with this.

keytool -certreq                   \
        -alias      node01         \ 
        -keystore   node01.jks     \
        -file       node01.csr     \
        -keyalg     rsa            \

I made sure this time to use the -ext option (docs say it's optional) and made darn sure that the alias and the ext were exact. I didn't use the keystore and it just installed it locally.

Then I saved the Key, the base64 Certificate, the PKCS7 version locally - converted the PKCS7 to PEM and set my Kibana to look for the crt, key and the pem.

Great to hear, thanks for the update.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.