[DOCS] Adds certutil http command to TLS setup steps #51241
Conversation
lcawl
added
>docs
|
Pinging @elastic/es-docs (>docs) |
|
Pinging @elastic/es-security (:Security/Network) |
|
@elasticmachine run elasticsearch-ci/docs |
|
|
||
| ** If the certificate is in PEM format, add the following information to the | ||
| If you did not use the `elasticsearch-certutil http` command and you have |
There was a problem hiding this comment.
Using elasticsearch-certutil http doesn't necessarily mean they did not end up with a PEM file. For instance, they could have used elasticsearch-certutil http to generate a CSR that they then took to their CA to sign and get back a PEM encoded certificate
x-pack/docs/en/security/securing-communications/tls-http.asciidoc
Outdated
Show resolved
Hide resolved
x-pack/docs/en/security/securing-communications/node-certificates.asciidoc
Outdated
Show resolved
Hide resolved
Co-Authored-By: Ioannis Kakavas <[email protected]>
…tes.asciidoc Co-Authored-By: Ioannis Kakavas <[email protected]>
|
@elasticmachine run elasticsearch-ci/bwc |
| [source, yaml] | ||
| -------------------------------------------------- | ||
| xpack.security.http.ssl.enabled: true | ||
| xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12 <1> | ||
| xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12 <2> |
There was a problem hiding this comment.
@tvernum I noticed that the output from the elasticsearch-certutil http command did not mention setting the truststore.path, so I've removed it here too. If it's still required, let me know and I'll re-add it.
There was a problem hiding this comment.
It's not required.
Technically, setting a truststore would configure which certificates the server would trust if we had clientAuthentication enabled (PKI). We don't need that.
It's also used by setup-passwords, but if no truststore is configured, it will assume that the keystore has the correct certificates and trust that, so it all works without needing any special config.
| [source, yaml] | ||
| -------------------------------------------------- | ||
| xpack.security.http.ssl.enabled: true | ||
| xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12 <1> | ||
| xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12 <2> | ||
| xpack.security.http.ssl.keystore.path: "http.p12" |
There was a problem hiding this comment.
I think that since we talked about using a certs folder in previous examples, it should be used here too:
| xpack.security.http.ssl.keystore.path: "http.p12" | |
| xpack.security.http.ssl.keystore.path: certs/http.p12 |
There was a problem hiding this comment.
Maybe we should drop the certs/ part entirely?
We don't use it in the PEM examples (and that uses more files)
x-pack/docs/en/security/securing-communications/tls-http.asciidoc
Outdated
Show resolved
Hide resolved
| [source, yaml] | ||
| -------------------------------------------------- | ||
| xpack.security.http.ssl.enabled: true | ||
| xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12 <1> | ||
| xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12 <2> |
There was a problem hiding this comment.
It's not required.
Technically, setting a truststore would configure which certificates the server would trust if we had clientAuthentication enabled (PKI). We don't need that.
It's also used by setup-passwords, but if no truststore is configured, it will assume that the keystore has the correct certificates and trust that, so it all works without needing any special config.
|
@elasticmachine update branch |
x-pack/docs/en/security/securing-communications/node-certificates.asciidoc
Outdated
Show resolved
Hide resolved
| + | ||
| -- | ||
| Copy the applicable `.p12` files into the {es} configuration directory on each | ||
| node. There is no need to copy the CA file to this directory. |
There was a problem hiding this comment.
There is no need to copy the CA file to this directory.
Not sure what we originally meant with this, I guess we assumed that the CA certificate is part of the PKCS#12 that we would create and then users wouldn't need to copy the CA certficate by itself in addition. In any case, I feel this makes assumptions on the setup and is not very helpful so why not take the opportunity to remove this sentence
x-pack/docs/en/security/securing-communications/tls-http.asciidoc
Outdated
Show resolved
Hide resolved
x-pack/docs/en/security/securing-communications/tls-http.asciidoc
Outdated
Show resolved
Hide resolved
…tes.asciidoc Co-Authored-By: Ioannis Kakavas <[email protected]>
Co-Authored-By: Ioannis Kakavas <[email protected]>
|
@elasticmachine update branch |
x-pack/docs/en/security/securing-communications/tls-http.asciidoc
Outdated
Show resolved
Hide resolved
Co-Authored-By: Tim Vernum <[email protected]>
|
@elasticmachine update branch |
Co-Authored-By: Ioannis Kakavas <[email protected]> Co-Authored-By: Tim Vernum <[email protected]>
Co-Authored-By: Ioannis Kakavas <[email protected]> Co-Authored-By: Tim Vernum <[email protected]>
Related to #49827
This PR updates the instructions in https://www.elastic.co/guide/en/elasticsearch/reference/master/configuring-tls.html#tls-http to take the new elasticsearch-certutil http command into consideration.
Preview: http://elasticsearch_51241.docs-preview.app.elstc.co/guide/en/elasticsearch/reference/master/configuring-tls.html