X-Pack and CRL


#1

Hello all,

is it possible to configure a CRL with the X-Pack ?
Or should I validate the certificates before the request is sent to elasticsearch ?


(Tim Vernum) #2

Can you provide more precise details about what you're after?

Is this for use in a pki authentication realm, or some other use?


#3

Yes, this is for a pki realm configuration.

When you specify a truststore in the configuration file, elasticsearch uses it to validate that the client certificates are signed by a CA that you trust. On the client side too, you can use a truststore to validate the server certificate.

All the certificates that I use contains a CRL Distribution Point where I can get a file containing the serial numbers of all the revoked certificates (the CRL).

On the client side, the TrustManager (java) that I use is validating the server certificates with those CRLs.

Is it possible to do the same thing on the server side ? Maybe not calling a CRLDP, but providing a CRL that will be reloaded periodically ?


(Tim Vernum) #4

I'm afraid this isn't currently supported.

If the functionality is important to you, please raise an enhancement request through your sales or support contacts, so that we can understand your requirements clearly and track demand for the feature.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.