Client Certificates

rob327 · September 19, 2021, 3:17pm

(I’m using the latest of version 5 for everything here)

I’m trying to setup just client certificate authenication for kibana users with SG.

I have only one auth domain in auth_c for http_authenticator, type: clientcert, and challenge set to true.
I have got searchguard.ssl.http.clientauth_mode: REQUIRE in elasticsearch.yaml.
Kibana is running under https with server.ssl.enabled: true

But the searchguard login box appears, I was expecting that having challenge set to true, would activate the in-browser ‘choose a client certifcate’ prompt but it does not,

How do I prevent the login box appearing?
And is SG able to get the browser to request a client cert, or does it just expect it to be there? Or is this a case of kibana not being able to forward on any client certificates?

Many thanks.

sirHusky · September 20, 2021, 5:49pm

Hi @rob327 There is currently no way to achieve this. Kibana can not forward client certificates, as a result elasticsearch would not be able to distinguish one user from another.
The advise would be against using certificate auth for kibana, but use basic auth instead.
Also highly advised to upgrade your SearchGuard to Version 7.

system · October 11, 2021, 5:49pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kibana server with client certificate auth only Search Guard	3	539	April 29, 2020
Client certificate-based authentication issues Search Guard	2	361	April 12, 2018
Is it possible to authenticate kibana user by cert? Search Guard	2	378	September 20, 2018
Using a certificate to authenticate the Kibana Server user Search Guard	0	361	August 18, 2017
Configure searchguard to work with SSO Search Guard	1	514	August 22, 2017

Client Certificates

Related Topics