Hi there,
i would like to exchange the demo certificates from searchguard with certificates provided by our internal Windows Certificate Authority.
I downloaded already the TLS Offline Tool to genreate CSR requests.
Do i need to request all certificates (node, client and admin) as “WebServer Certificate”?
And then can i simpley exchange the fielnames in the config of elasticsearch and thats is, or do i have to do mor changes?
Thanks, -raphael
Search Guard version - 22.1
Elasticsearch version - 6.2.4
Installed and used enterprise modules, if any - none, community edition
JVM version - OpenJDK Runtime Environment (build 1.8.0_171-b10)
operating system version - CentOS Linux release 7.5.1804 (Core)
Search Guard configuration files → Democonfiguration
Elasticsearch log messages on debug level
Other installed Elasticsearch or Kibana plugins, if any - Kibana, X-Pack (Security is disabled)
What other options beside “WebServer Certificate” do you have? Keep in mind that almost all SG certificates needs “client authentication” Extended Key Usage (EKU) → see What extensions and details are included in a SSL certificate?
···
On Friday, 8 June 2018 09:21:23 UTC+2, Raphael Wanko wrote:
Hi there,
i would like to exchange the demo certificates from searchguard with certificates provided by our internal Windows Certificate Authority.
I downloaded already the TLS Offline Tool to genreate CSR requests.
Do i need to request all certificates (node, client and admin) as “WebServer Certificate”?
And then can i simpley exchange the fielnames in the config of elasticsearch and thats is, or do i have to do mor changes?
Thanks, -raphael
Search Guard version - 22.1
Elasticsearch version - 6.2.4
Installed and used enterprise modules, if any - none, community edition
JVM version - OpenJDK Runtime Environment (build 1.8.0_171-b10)
operating system version - CentOS Linux release 7.5.1804 (Core)
Search Guard configuration files → Democonfiguration
Elasticsearch log messages on debug level
Other installed Elasticsearch or Kibana plugins, if any - Kibana, X-Pack (Security is disabled)
The standard windows ca templates:
I created the CSR with this Configuration: https://pastebin.com/EyyPVneD
My Elasticsearch config looks like that: https://pastebin.com/G8x9rCJ7
This is one of the Node Certificates:
I get this error messages when i start elasticsearch: https://pastebin.com/BzukKcMi
Then i tried “./search-guard-6/tools/sgadmin.sh -cd /search-guard-tlstool-1.4/config/ -cacert /etc/elasticsearch/pankl-ca.pem -cert /etc/elasticsearch/sgadmin.pem -key /etc/elasticsearch/sgadmin.key -nhnv -cn pankl-elasticsearch-cluster”
but it wont get futher than tho this message:
···
Search Guard Admin v6
Will connect to localhost:9300 … done
Elasticsearch Version: 6.2.4
Search Guard Version: 6.2.4-22.1
Connected as EMAILADDRESS=warsys@pankl.com ,CN=warsys,OU=IT-Admins,OU=special-users,OU=Pankl-User,DC=pankl,DC=local
Contacting elasticsearch cluster ‘pankl-elasticsearch-cluster’ and wait for YELLOW clusterstate …
And here the output of “/search-guard-tlstool-1.4/tools/sgtlsdiag.sh -es /etc/elasticsearch/elasticsearch.yml” sgtlsdiag - Pastebin.com
so you are missing the client auth eku. ask the guys who are responsible for the corporate ssl cert signing.
maybe your templates just do not support the required eku.
···
On Friday, 8 June 2018 10:43:04 UTC+2, Raphael Wanko wrote:
And here the output of “/search-guard-tlstool-1.4/tools/sgtlsdiag.sh -es /etc/elasticsearch/elasticsearch.yml” https://pastebin.com/UHWPXpuH