How to use CRLs?

How to use certificate revocation lists?

In order to active CRL checking pls set the following properties in elasticsearch.yml (on all http enabled nodes):

# set this to true to enable crl validation
# default is false
searchguard.ssl.http.crl.validate: true

# file based static revocation list, by default this is null
# if null then either ocsp or crldp needs to be enabled
# crl file must be in config/ dir, so this path is relative here
#searchguard.ssl.http.crl.file_path: mycrl.crl

# default is false (means we prefer ocsp over crlfile)
#searchguard.ssl.http.crl.prefer_crlfile_over_ocsp: true

# default is true (means we do not validate intermediate certificats)
#searchguard.ssl.http.crl.check_only_end_entities: false

# default is false (means we use oscp if available)
#searchguard.ssl.http.crl.disable_ocsp: true   

# default is false (means we use crldp if available)
#searchguard.ssl.http.crl.disable_crldp: true  

Please note: CRL check is only available for the HTTPS layer (port 9200), not for transport layer (9300)

Thanks! I think this is missing in the documentation.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.