Adding the TLS configuration what should we give searchguard.authcz.admin_dn:

ELK 7.17.3 v

Adding the TLS configuration what should we give in this part

  • CN=kirk,OU=client,O=client,L=test, C=de # can we give these as default or should we replace it with other details

The DN you specify in searchguard.authcz.admin_dn should be the DN (Distinguished Name) of the certificate you will use as your “super” admin cert (you’ll need it to make changes to the searchguard index).

Please make sure to go through the docs for the different types of certificates in your environment:

And in particular, for the admin cert:

If this is a test cluster, it would be OK to keep the “kirk” DN (which is part of the “demo” certificates), but we would strongly recommend producing and using your own certs in a Prod cluster.

I need to get more details on it : For example :


  • CN=kirk,OU=client,O=client,L=test, C=de
    In prod Environment : can i put my Kibana Client certificate as the Admin certificate

  •,OU=client,L=test, C =de

will this be a correct syntax or am i missing something when i write CN = Server name

@amalk12 If I understand correctly, you seem to be trying to use a server certificate (the EKU section of this certificate possibly would only include “serverAuth”)

As the documentation states, the “super admin” certificate is just a client certificate (the EKU section would only include “clientAuth”)

Please use a client cert (not a server cert).

On the other hand, this certificate will be treated as the “super admin” in your Search Guard instance - it will have the highest level of permissions in your cluster. Therefore, I’d strongly encourage you to produce a dedicated / separate certificate (not shared for other functions or with other teams)