How to use certificate revocation lists?
In order to active CRL checking pls set the following properties in elasticsearch.yml (on all http enabled nodes):
# set this to true to enable crl validation
# default is false
searchguard.ssl.http.crl.validate: true
# file based static revocation list, by default this is null
# if null then either ocsp or crldp needs to be enabled
# crl file must be in config/ dir, so this path is relative here
#searchguard.ssl.http.crl.file_path: mycrl.crl
# default is false (means we prefer ocsp over crlfile)
#searchguard.ssl.http.crl.prefer_crlfile_over_ocsp: true
# default is true (means we do not validate intermediate certificats)
#searchguard.ssl.http.crl.check_only_end_entities: false
# default is false (means we use oscp if available)
#searchguard.ssl.http.crl.disable_ocsp: true
# default is false (means we use crldp if available)
#searchguard.ssl.http.crl.disable_crldp: true
Please note: CRL check is only available for the HTTPS layer (port 9200), not for transport layer (9300)
Thanks! I think this is missing in the documentation.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.