Support PKCS#12 encoded certificates #17261
Conversation
legrego
added
WIP
💔 Build Failed |
💚 Build Succeeded |
legrego
force-pushed
the
support-pkcs12-17039
branch
from
e0cb49c
to
96849b3
Compare
💚 Build Succeeded |
legrego
force-pushed
the
support-pkcs12-17039
branch
from
96849b3
to
8832c3e
Compare
💚 Build Succeeded |
|
@kobelb, I backed out the Joi upgrade and schema validations per our slack chat. The new SSL configuration is instead validated by throwing errors where appropriate. Can you review when you get a chance? |
|
Thoughts on aligning with elasticsearch's format, specifically with a type flag that gets set to PKCS12? |
|
Related, are there any other formats we might support (i.e I should do some research, are there other (un)commonly common formats?) |
To be honest, I didn't realize that Elasticsearch already supported PKCS#12, and we generally try to keep our SSL settings inline with theirs, good call @jbudz . It also looks like Elasticsearch is differentiating between a |
I haven't heard of any others at this time, but I'd prefer to follow what the Elasticsearch team does to make sure we stay consistent. |
@kobelb @jbudz I'm not sure if we can do that or not, but I'll do some testing and get back to you. I'd prefer to be consistent with Elasticsearch if possible, but I'm a little hesitant to use the same configuration properties. It's my understanding that |
|
@kobelb @jbudz The only way to get the certificate chain (" So the end result in that scenario is a single PKCS#12 file that contains:
Given this, users have a few options:
|
|
@jaymode @tvernum @jkakavas we're looking at adding PKCS#12 support in Kibana, and generally like to keep our SSL settings inline with Elasticsearch. Currently, Elasticsearch's SSL settings are differentiating between the keyStore and the trustStore, while we were hoping to specify a single PKCS#12 certificate that contains everything to use and verify the certificate. Do you all have any intent on implementing this, and if so do you have any qualms with referring to this setting as |
|
When we generate node certificates with certutil, we end up with a PKCS#12 keystore that can be used both as a keystore and as a truststore ( as it contains the node's private key and certificate, as well as the CA certificate ) . So, we already do support a single PKCS#12 certificate that contains everything to use and verify the certificate. Is this about the setting name only ? That is, instead of having : to be able to support ? |
|
@jkakavas yup! |
|
@kobelb I personally do not like the use of One thought is that we've adopted the notion of |
That makes sense, and we aren't intimately tied to calling it Does referring to it as a |
Going back to Shield, we allowed users to define a keystore in the settings and if the truststore setting was not set, we'd use the keystore as the truststore. I personally feel like a single store is the easiest to reason about and having two settings makes it confusing. |
|
I agree with a single configuration option as a fallback but maybe not enforce it:
I'm not sure how commonly used that is though and if we want to support it though.
|
|
So if we were to add the following settings for Kibana, they seem to fall in line with what's supported via elasticsearch now: and they would provide the certs, key and certs for the certificate authorities. Is that correct? |
|
That's correct. Do you need the |
|
I was only proposing using |
|
I think we can get away without the |
💚 Build Succeeded |
Simplified Joi schema validation in favor of manually throwing errors
legrego
force-pushed
the
support-pkcs12-17039
branch
from
54ceff3
to
85de723
Compare
💚 Build Succeeded |
This reverts commit de91bd0.
…c#17801) * Revert "Support PKCS#12 encoded certificates (elastic#17261)" This reverts commit de91bd0. * Fixing tests
💔 Build Failed |
The implementation here was flawed, in that we were not able to correctly handle requests made by the Kibana server on behalf of an end-user. There are many features within Kibana that require the kibana server to essentially proxy the end-users request to elasticsearch. When this is done, the Kibana server cannot attach client certificates to the proxied request. The libraries provided by nodejs for dealing with PKCS12 certificates do not allow us to extract the CA from the bundle -- it's either an all or nothing deal.
@kobelb summarizes the issue in the revert for this PR: #17801
This PR adds new configuration properties to support PKCS#12 encoded certificates. This allows the certificate, key, and CA chain to be specified in a single file, which simplifies administrating Kibana installations.
New kibana.yml Properties
server.ssl.keystore.pathThis is an alternative to
server.ssl.certificateandserver.ssl.key. If a CA chain is not included in this file, then PEM encoded certificates can be specified using the existingserver.ssl.certificateAuthoritiesproperty.server.ssl.keystore.passwordPassword to to decrypt the key within the PKCS#12 file. Analogous to
server.ssl.keyPassphraseforserver.ssl.keyelasticsearch.ssl.keystore.pathThis is an alternative to
elasticsearch.ssl.certificateandelasticsearch.ssl.key. If a CA chain is not included in this file, then PEM encoded certificates can be specified using the existingelasticsearch.ssl.certificateAuthoritiesproperty.elasticsearch.ssl.keystore.passwordPassword to to decrypt the key within the PKCS#12 file. Analogous to
elasticsearch.ssl.keyPassphraseforelasticsearch.ssl.keyDetails
If the
[...].ssl.keystore.pathproperty is set, then the corresponding[...].ssl.certificateand[...].ssl.keyproperties must be left unset.Closes #17039