How to use certificate revocation lists?
In order to active CRL checking pls set the following properties in elasticsearch.yml (on all http enabled nodes):
# set this to true to enable crl validation # default is false searchguard.ssl.http.crl.validate: true # file based static revocation list, by default this is null # if null then either ocsp or crldp needs to be enabled # crl file must be in config/ dir, so this path is relative here #searchguard.ssl.http.crl.file_path: mycrl.crl # default is false (means we prefer ocsp over crlfile) #searchguard.ssl.http.crl.prefer_crlfile_over_ocsp: true # default is true (means we do not validate intermediate certificats) #searchguard.ssl.http.crl.check_only_end_entities: false # default is false (means we use oscp if available) #searchguard.ssl.http.crl.disable_ocsp: true # default is false (means we use crldp if available) #searchguard.ssl.http.crl.disable_crldp: true
Please note: CRL check is only available for the HTTPS layer (port 9200), not for transport layer (9300)
Thanks! I think this is missing in the documentation.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.