Skip to content

[DOCS] Adds certutil http command to TLS setup steps #51241

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 14 commits into from
Feb 21, 2020
Merged

[DOCS] Adds certutil http command to TLS setup steps #51241

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
6ecb50d
[DOCS] Adds certutil http command to TLS steps
lcawl Jan 20, 2020
de62baf
Update x-pack/docs/en/security/securing-communications/tls-http.asciidoc
lcawl Jan 21, 2020
2a81dfd
Update x-pack/docs/en/security/securing-communications/node-certifica…
lcawl Jan 21, 2020
f7fa7a0
[DOCS] Addresses feedback
lcawl Jan 21, 2020
7e56887
[DOCS] Removes reference to certs folder in TLS instructions
lcawl Jan 24, 2020
66a23e4
Update x-pack/docs/en/security/securing-communications/tls-http.asciidoc
lcawl Jan 24, 2020
1c472ec
Merge branch 'master' into tls-http
elasticmachine Jan 24, 2020
5070d6a
Update x-pack/docs/en/security/securing-communications/node-certifica…
lcawl Feb 3, 2020
d6a9314
Update x-pack/docs/en/security/securing-communications/tls-http.asciidoc
lcawl Feb 3, 2020
79673e2
[DOCS] Remove CA comment from node certificates
lcawl Feb 3, 2020
176e459
[DOCS] Fixes PEM file names
lcawl Feb 3, 2020
602156c
Merge branch 'master' into tls-http
elasticmachine Feb 13, 2020
5d6f8f4
Update x-pack/docs/en/security/securing-communications/tls-http.asciidoc
lcawl Feb 21, 2020
dda31ca
Merge branch 'master' into tls-http
elasticmachine Feb 21, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 19 additions & 3 deletions x-pack/docs/en/security/securing-communications/node-certificates.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
[[node-certificates]]
==== Generating Node Certificates
==== Generating node certificates

TLS requires X.509 certificates to perform encryption and authentication of the
application that is being communicated with. In order for the communication
Expand Down Expand Up @@ -75,10 +75,26 @@ signing requests (CSR) for the nodes in your cluster. For more information, see
<<certutil>>.
--

. Copy the node certificate to the appropriate locations.
. Optional: Generate additional certificates specifically for encrypting HTTP
client communications.
+
--
Copy the applicable `.p12` file into a directory within the {es} configuration
For example, use the `elasticsearch-certutil http` command:

[source,shell]
----------------------------------------------------------
bin/elasticsearch-certutil http
----------------------------------------------------------

This command guides you through the process of generating the appropriate
certificates for use in {es} and {kib}. If you created a CA for your cluster,
you can re-use it by supplying its location when prompted.
--

. Copy the node certificates to the appropriate locations.
+
--
Copy the applicable `.p12` files into a directory within the {es} configuration
directory on each node. For example, `/home/es/config/certs`. There is no need
to copy the CA file to this directory.

Expand Down
74 changes: 45 additions & 29 deletions x-pack/docs/en/security/securing-communications/tls-http.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,42 +1,58 @@
[role="xpack"]
[[tls-http]]
==== Encrypting HTTP Client communications
==== Encrypting HTTP client communications

When {security-features} are enabled, you can optionally use TLS to ensure that
communication between HTTP clients and the cluster is encrypted.

NOTE: Enabling TLS on the HTTP layer is strongly recommended but is not required.
If you enable TLS on the HTTP layer in {es}, then you might need to make
configuration changes in other parts of the Elastic Stack and in any {es}
clients that you use.
configuration changes in other parts of the {stack} and in any {es} clients that
you use.

. If you have not done so already, <<node-certificates,generate node certificates>>.
+
--
In particular, you need the files that are generated by the following command:

[source,shell]
----------------------------------------------------------
bin/elasticsearch-certutil http
----------------------------------------------------------

This command generates a zip file that contains certificates and keys for use in {es} and {kib}. Each folder contains a readme that explains how to use the files.
--

. Verify that you've copied the output files to the appropriate locations, as
specified in the readme files.
+
--
For example, copy the `http.p12` file from the `elasticsearch` folder into a
directory within the {es} configuration directory on each node. If you chose to
generate one certificate per node, copy the appropriate `http.p12` file to each
node. If you want to use {kib} to access this cluster, copy the
`elasticsearch-ca.pem` file from the `kibana` folder into the {kib}
configuration directory.
--

. Enable TLS and specify the information required to access the node’s
certificate.
certificate. Follow the instructions in the readme in the `elasticsearch` folder
of the zip file. For example:

** If the certificate is in PKCS#12 format, add the following information to the
`elasticsearch.yml` file on each node:
.. Update the `elasticsearch.yml` file on each node with the location of the
certificates.
+
--
If the certificates are in PKCS#12 format:

[source, yaml]
--------------------------------------------------
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12 <1>
xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12 <2>
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tvernum I noticed that the output from the elasticsearch-certutil http command did not mention setting the truststore.path, so I've removed it here too. If it's still required, let me know and I'll re-add it.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not required.

Technically, setting a truststore would configure which certificates the server would trust if we had clientAuthentication enabled (PKI). We don't need that.

It's also used by setup-passwords, but if no truststore is configured, it will assume that the keystore has the correct certificates and trust that, so it all works without needing any special config.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great, thanks!

xpack.security.http.ssl.keystore.path: "http.p12"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that since we talked about using a certs folder in previous examples, it should be used here too:

Suggested change
xpack.security.http.ssl.keystore.path: "http.p12"
xpack.security.http.ssl.keystore.path: certs/http.p12

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should drop the certs/ part entirely?
We don't use it in the PEM examples (and that uses more files)

--------------------------------------------------
<1> If you created a separate certificate for each node, then you might need to
customize this path on each node. If the filename matches the node name, you can
use the `certs/${node.name}.p12` format, for example.
<2> The `elasticsearch-certutil` output includes the CA certificate inside the
PKCS#12 keystore, therefore the keystore can also be used as the truststore.
This name should match the `keystore.path` value.
--

** If the certificate is in PEM format, add the following information to the
`elasticsearch.yml` file on each node:
+
--
If the certificates are in PEM format:

[source, yaml]
--------------------------------------------------
xpack.security.http.ssl.enabled: true
Expand All @@ -52,29 +68,29 @@ xpack.security.http.ssl.certificate_authorities: [ "/home/es/config/ca.crt" ] <3
must be a location within the {es} configuration directory.
--

. If you secured the node's certificate with a password, add the password to
your {es} keystore:

** If the signed certificate is in PKCS#12 format, use the following commands:
.. If you secured the certificate with a password, add that password to a secure
setting in {es}.
+
--
If the certificates are in PKCS#12 format:

[source,shell]
-----------------------------------------------------------
bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password

bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password
-----------------------------------------------------------
--

** If the certificate is in PEM format, use the following commands:
+
--
If the certificates are in PEM format:

[source,shell]
-----------------------------------------------------------
bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase
-----------------------------------------------------------
--

. Optional: If you want to use {kib}, follow the instructions in the readme
provided by the `elasticsearch-certutil http` command or see
{kibana-ref}/configuring-tls.html[Encrypting communications in {kib}].

. Restart {es}.

[NOTE]
Expand Down