Client Certificates

rob327 · September 19, 2021, 3:17pm

(I’m using the latest of version 5 for everything here)

I’m trying to setup just client certificate authenication for kibana users with SG.

I have only one auth domain in auth_c for http_authenticator, type: clientcert, and challenge set to true.
I have got searchguard.ssl.http.clientauth_mode: REQUIRE in elasticsearch.yaml.
Kibana is running under https with server.ssl.enabled: true

But the searchguard login box appears, I was expecting that having challenge set to true, would activate the in-browser ‘choose a client certifcate’ prompt but it does not,

How do I prevent the login box appearing?
And is SG able to get the browser to request a client cert, or does it just expect it to be there? Or is this a case of kibana not being able to forward on any client certificates?

Many thanks.

sirHusky · September 20, 2021, 5:49pm

Hi @rob327 There is currently no way to achieve this. Kibana can not forward client certificates, as a result elasticsearch would not be able to distinguish one user from another.
The advise would be against using certificate auth for kibana, but use basic auth instead.
Also highly advised to upgrade your SearchGuard to Version 7.

system · October 11, 2021, 5:49pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kibana server with client certificate auth only Search Guard	3	572	April 29, 2020
Client certificate-based authentication issues Search Guard	2	385	April 12, 2018
Is it possible to authenticate kibana user by cert? Search Guard	2	399	September 20, 2018
Generating certificates for search guard Search Guard	6	417	September 7, 2022
Something wrong with certificates? (Kibana plugin) Search Guard	1	1161	May 10, 2018

Client Certificates

Related topics