Search Guard SSL - what's gen_node_cert_openssl.sh

Search Guard
#1

Hi,

First, thanks for the great work.

I used offline tls tools (available here) and I noticed gen_node_cert.sh and gen_node_cert_openssl.sh scripts

I understand that the first one generates node certificates in PEM, PKCS12, and JKS format.

The second generates only PEM format, the key is generated with a temporary openssl conf file and then the cert is generated using signing-ca.conf file

My question is simple:

I am not familiar with advanced openssl configurations but what’s the point of the “gen_node_cert_openssl.sh” ? When should I use it ?

Regards,

Victor L

#2

Very sorry for the late reply to your question!

The short answer is that the outcome of both scripts is pretty much the same, but if you have OpenSSL installed, prefer gen_node_cert_openssl.sh over gen_node_cert.sh.

Long answer: For SG2 and SG5 the preferred/default certificate format was JKS. The gen_node_cert.sh script uses mainly the JDK keytool to generate the certificates in JKS format. However, since JKS is a proprietary format, since SG6 the preferred/default certificate format is PEM/X509. The gen_node_cert_openssl.sh does not use JDK keytool, but OpenSSL only. So the difference is subtle, and the outcome similar. gen_node_cert_openssl.sh just does not use JDK proprietary tools.

···

On Friday, August 10, 2018 at 3:46:51 AM UTC-5, Victor L wrote:

Hi,

First, thanks for the great work.

I used offline tls tools (available here) and I noticed gen_node_cert.sh and gen_node_cert_openssl.sh scripts

I understand that the first one generates node certificates in PEM, PKCS12, and JKS format.

The second generates only PEM format, the key is generated with a temporary openssl conf file and then the cert is generated using signing-ca.conf file

My question is simple:

I am not familiar with advanced openssl configurations but what’s the point of the “gen_node_cert_openssl.sh” ? When should I use it ?

Regards,

Victor L

#3

Hi,

Thanks for your detailed explaination and sorry too for the late reply.I am not familiar with google groups and I thought I would be notified when you will reply. Unfortunately that’s not the case even though I ticked the “Automatically subscribe me to email updates when I post to a topic” box.

Regarding your reply, I conclude that if I am using only ES 6.X and above, I can use “gen_node_cert_openssl” only.

Regards,

···

On Tuesday, 21 August 2018 04:18:44 UTC+2, Jochen Kressin wrote:

Very sorry for the late reply to your question!

The short answer is that the outcome of both scripts is pretty much the same, but if you have OpenSSL installed, prefer gen_node_cert_openssl.sh over gen_node_cert.sh.

Long answer: For SG2 and SG5 the preferred/default certificate format was JKS. The gen_node_cert.sh script uses mainly the JDK keytool to generate the certificates in JKS format. However, since JKS is a proprietary format, since SG6 the preferred/default certificate format is PEM/X509. The gen_node_cert_openssl.sh does not use JDK keytool, but OpenSSL only. So the difference is subtle, and the outcome similar. gen_node_cert_openssl.sh just does not use JDK proprietary tools.

On Friday, August 10, 2018 at 3:46:51 AM UTC-5, Victor L wrote:

Hi,

First, thanks for the great work.

I used offline tls tools (available here) and I noticed gen_node_cert.sh and gen_node_cert_openssl.sh scripts

I understand that the first one generates node certificates in PEM, PKCS12, and JKS format.

The second generates only PEM format, the key is generated with a temporary openssl conf file and then the cert is generated using signing-ca.conf file

My question is simple:

I am not familiar with advanced openssl configurations but what’s the point of the “gen_node_cert_openssl.sh” ? When should I use it ?

Regards,

Victor L

#4

Actually, both scripts are equivalent in what the output is, so it should not matter which one you use. Your probably have a some more options regarding the supported ciphers when using OpenSSL. But both scripts will work.

···

On Monday, September 10, 2018 at 6:05:09 AM UTC-7, Victor L wrote:

Hi,

Thanks for your detailed explaination and sorry too for the late reply.I am not familiar with google groups and I thought I would be notified when you will reply. Unfortunately that’s not the case even though I ticked the “Automatically subscribe me to email updates when I post to a topic” box.

Regarding your reply, I conclude that if I am using only ES 6.X and above, I can use “gen_node_cert_openssl” only.

Regards,

On Tuesday, 21 August 2018 04:18:44 UTC+2, Jochen Kressin wrote:

Very sorry for the late reply to your question!

The short answer is that the outcome of both scripts is pretty much the same, but if you have OpenSSL installed, prefer gen_node_cert_openssl.sh over gen_node_cert.sh.

Long answer: For SG2 and SG5 the preferred/default certificate format was JKS. The gen_node_cert.sh script uses mainly the JDK keytool to generate the certificates in JKS format. However, since JKS is a proprietary format, since SG6 the preferred/default certificate format is PEM/X509. The gen_node_cert_openssl.sh does not use JDK keytool, but OpenSSL only. So the difference is subtle, and the outcome similar. gen_node_cert_openssl.sh just does not use JDK proprietary tools.

On Friday, August 10, 2018 at 3:46:51 AM UTC-5, Victor L wrote:

Hi,

First, thanks for the great work.

I used offline tls tools (available here) and I noticed gen_node_cert.sh and gen_node_cert_openssl.sh scripts

I understand that the first one generates node certificates in PEM, PKCS12, and JKS format.

The second generates only PEM format, the key is generated with a temporary openssl conf file and then the cert is generated using signing-ca.conf file

My question is simple:

I am not familiar with advanced openssl configurations but what’s the point of the “gen_node_cert_openssl.sh” ? When should I use it ?

Regards,

Victor L