What's the best way to deal with this? Should I just convert the CA and keys using openssl?
Elasticsearch can use PKCS#12 or PEM, and our certificate tool (elasticsearch-certutil) can work with and generate either.
We default to PKCS#12 in the docs and in the tool because it produces a single file that contains all the certificate and key information that is needed for a node, so configuration is simpler.
Unfortunately the PKCS#12 support in Node.JS isn't as feature rich as in Java, so we aren't able to support PKCS#12 CAs in Kibana right now.
4 Likes
Thanks Tim! Interesting. Being less familiar with some of this there was a bit of a learning curve, and probably an area where there is room for improvement in the documentation for Kibana under "Kibana User Guide [6.5] >> Setup Kibana >> Configuring Security in Kibana >> Encrypting communications in Kibana". In case it helps anyone else I've solved this issue using the following procedure:
- Generate a new self-signed server certificate in PEM format for the kibana https server using OpenSSL
openssl req -newkey rsa:2048 -nodes -keyout kibana.key -x509 -days 365 -out kibana.crt
Omit -nodes option to use a password on the key file, and change the days option to change the time length of certificate validity
Alternatively you could use a validated CA to avoid the browser security warning
-
These files are then used in the kibana.yml file server.ssl.key and server.ssl.certificate. After changing these settings you can connect to kibana on https://. However, kibana won't connect to elasticsearch unless you pass in the path to the elasticsearch CA file or set elasticsearch.ssl.verificationMode: none
-
To fully enable the https connection between kibana and elasticsearch you will need to convert the the PKCS#12 *p12 CA file generated during the elasticsearch security configuration using the to PEM format using OpenSSL
openssl pkcs12 -in elastic-stack-ca.p12 -out elastic-stack-ca.pem
Then set the elasticsearch.ssl.certificateAuthorities parameter in the kibana.yml file to point to the location of the PEM format certificate/key file
-
Change the elasticsearch.ssl.verificationMode parameter in the kibana.yml file to 'certificate' if you are using a self-signed certificate authority or 'full' if using a verified CA
-
Finally remember to add https:// ahead of the elasticsearch.url parameter in the kibana.yml file
-
Restart kibana and the connect will be established, and now connect to kibana via https://
4 Likes
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.