Why does elasticsearch use PKCS#12, while Kibana needs PEM?

What's the best way to deal with this? Should I just convert the CA and keys using openssl?

Elasticsearch can use PKCS#12 or PEM, and our certificate tool (elasticsearch-certutil) can work with and generate either.

We default to PKCS#12 in the docs and in the tool because it produces a single file that contains all the certificate and key information that is needed for a node, so configuration is simpler.

Unfortunately the PKCS#12 support in Node.JS isn't as feature rich as in Java, so we aren't able to support PKCS#12 CAs in Kibana right now.

3 Likes

Thanks Tim! Interesting. Being less familiar with some of this there was a bit of a learning curve, and probably an area where there is room for improvement in the documentation for Kibana under "Kibana User Guide [6.5] >> Setup Kibana >> Configuring Security in Kibana >> Encrypting communications in Kibana". In case it helps anyone else I've solved this issue using the following procedure:

  1. Generate a new self-signed server certificate in PEM format for the kibana https server using OpenSSL

openssl req -newkey rsa:2048 -nodes -keyout kibana.key -x509 -days 365 -out kibana.crt

Omit -nodes option to use a password on the key file, and change the days option to change the time length of certificate validity
Alternatively you could use a validated CA to avoid the browser security warning

  1. These files are then used in the kibana.yml file server.ssl.key and server.ssl.certificate. After changing these settings you can connect to kibana on https://. However, kibana won't connect to elasticsearch unless you pass in the path to the elasticsearch CA file or set elasticsearch.ssl.verificationMode: none

  2. To fully enable the https connection between kibana and elasticsearch you will need to convert the the PKCS#12 *p12 CA file generated during the elasticsearch security configuration using the to PEM format using OpenSSL

openssl pkcs12 -in elastic-stack-ca.p12 -out elastic-stack-ca.pem

Then set the elasticsearch.ssl.certificateAuthorities parameter in the kibana.yml file to point to the location of the PEM format certificate/key file

  1. Change the elasticsearch.ssl.verificationMode parameter in the kibana.yml file to 'certificate' if you are using a self-signed certificate authority or 'full' if using a verified CA

  2. Finally remember to add https:// ahead of the elasticsearch.url parameter in the kibana.yml file

  3. Restart kibana and the connect will be established, and now connect to kibana via https://

3 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.