Hi there,
i would like to exchange the demo certificates from searchguard with certificates provided by our internal Windows Certificate Authority.
I downloaded already the TLS Offline Tool to genreate CSR requests.
Do i need to request all certificates (node, client and admin) as “WebServer Certificate”?
And then can i simpley exchange the fielnames in the config of elasticsearch and thats is, or do i have to do mor changes?
Thanks, -raphael
Search Guard version - 22.1
Elasticsearch version - 6.2.4
Installed and used enterprise modules, if any - none, community edition
JVM version - OpenJDK Runtime Environment (build 1.8.0_171-b10)
operating system version - CentOS Linux release 7.5.1804 (Core)
Search Guard configuration files → Democonfiguration
Elasticsearch log messages on debug level
Other installed Elasticsearch or Kibana plugins, if any - Kibana, X-Pack (Security is disabled)
What other options beside “WebServer Certificate” do you have? Keep in mind that almost all SG certificates needs “client authentication” Extended Key Usage (EKU) → see What extensions and details are included in a SSL certificate?
···
On Friday, 8 June 2018 09:21:23 UTC+2, Raphael Wanko wrote:
Hi there,
i would like to exchange the demo certificates from searchguard with certificates provided by our internal Windows Certificate Authority.
I downloaded already the TLS Offline Tool to genreate CSR requests.
Do i need to request all certificates (node, client and admin) as “WebServer Certificate”?
And then can i simpley exchange the fielnames in the config of elasticsearch and thats is, or do i have to do mor changes?
Thanks, -raphael
Search Guard version - 22.1
Elasticsearch version - 6.2.4
Installed and used enterprise modules, if any - none, community edition
JVM version - OpenJDK Runtime Environment (build 1.8.0_171-b10)
operating system version - CentOS Linux release 7.5.1804 (Core)
Search Guard configuration files → Democonfiguration
Elasticsearch log messages on debug level
Other installed Elasticsearch or Kibana plugins, if any - Kibana, X-Pack (Security is disabled)
The standard windows ca templates:
I created the CSR with this Configuration: https://pastebin.com/EyyPVneD
My Elasticsearch config looks like that: https://pastebin.com/G8x9rCJ7
This is one of the Node Certificates:
I get this error messages when i start elasticsearch: https://pastebin.com/BzukKcMi
Then i tried “./search-guard-6/tools/sgadmin.sh -cd /search-guard-tlstool-1.4/config/ -cacert /etc/elasticsearch/pankl-ca.pem -cert /etc/elasticsearch/sgadmin.pem -key /etc/elasticsearch/sgadmin.key -nhnv -cn pankl-elasticsearch-cluster”
but it wont get futher than tho this message:
···
Search Guard Admin v6
Will connect to localhost:9300 … done
Elasticsearch Version: 6.2.4
Search Guard Version: 6.2.4-22.1
Connected as EMAILADDRESS=warsys@pankl.com ,CN=warsys,OU=IT-Admins,OU=special-users,OU=Pankl-User,DC=pankl,DC=local
Contacting elasticsearch cluster ‘pankl-elasticsearch-cluster’ and wait for YELLOW clusterstate …
And here the output of “/search-guard-tlstool-1.4/tools/sgtlsdiag.sh -es /etc/elasticsearch/elasticsearch.yml” sgtlsdiag - Pastebin.com
so you are missing the client auth eku. ask the guys who are responsible for the corporate ssl cert signing.
···
On Friday, 8 June 2018 10:43:04 UTC+2, Raphael Wanko wrote:
And here the output of “/search-guard-tlstool-1.4/tools/sgtlsdiag.sh -es /etc/elasticsearch/elasticsearch.yml” https://pastebin.com/UHWPXpuH
