Client Certificates

(I’m using the latest of version 5 for everything here)

I’m trying to setup just client certificate authenication for kibana users with SG.

I have only one auth domain in auth_c for http_authenticator, type: clientcert, and challenge set to true.
I have got searchguard.ssl.http.clientauth_mode: REQUIRE in elasticsearch.yaml.
Kibana is running under https with server.ssl.enabled: true

But the searchguard login box appears, I was expecting that having challenge set to true, would activate the in-browser ‘choose a client certifcate’ prompt but it does not,

How do I prevent the login box appearing?
And is SG able to get the browser to request a client cert, or does it just expect it to be there? Or is this a case of kibana not being able to forward on any client certificates?

Many thanks.

Hi @rob327 There is currently no way to achieve this. Kibana can not forward client certificates, as a result elasticsearch would not be able to distinguish one user from another.
The advise would be against using certificate auth for kibana, but use basic auth instead.
Also highly advised to upgrade your SearchGuard to Version 7.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.