I am looking into automating SSL certificate provisioning for our ES+SG deployments, both in test (internal environment) and production and I have some questions.
We plan to use an internal CA for our test ES deployment (as well as other internal services), where we would have a simple chain: root cert -> intermediate cert -> ES node certs. For testing purposes, these are currently being created manually, but the plan is to use the intermediate certificate with Hashicorp’s Vault to automate issuing of certificates.
For production, we plan to use Let’s Encrypt certs (and automate renewal).
Through some experimentation, I was able to generate node certificates that SG is happy with (the critical bit was setting key usage to both server and client auth).
I am now trying to figure out how to create client certs to use with sgadmin. I am able to generate client certs using the same OpenSSL configuration used for node certs (setting CN to something like ‘admin’).
At first, I tried using demo client certs (kirk, sgadmin), but sgadmin would fail with an “unknown certificate” error. Am I right to assume that client certs need to share the same certificate chain as node certs?
If that is so, what’s the best practice for production and getting client certs?