SearchGuard Certificates - Windows PKI

Hi there,

i would like to exchange the demo certificates from searchguard with certificates provided by our internal Windows Certificate Authority.

I downloaded already the TLS Offline Tool to genreate CSR requests.

Do i need to request all certificates (node, client and admin) as “WebServer Certificate”?

And then can i simpley exchange the fielnames in the config of elasticsearch and thats is, or do i have to do mor changes?

Thanks, -raphael

  • Search Guard version - 22.1

  • Elasticsearch version - 6.2.4

  • Installed and used enterprise modules, if any - none, community edition

  • JVM version - OpenJDK Runtime Environment (build 1.8.0_171-b10)

  • operating system version - CentOS Linux release 7.5.1804 (Core)

  • Search Guard configuration files -> Democonfiguration

  • Elasticsearch log messages on debug level

  • Other installed Elasticsearch or Kibana plugins, if any - Kibana, X-Pack (Security is disabled)

What other options beside “WebServer Certificate” do you have? Keep in mind that almost all SG certificates needs “client authentication” Extended Key Usage (EKU) -> see https://knowledge.digicert.com/solution/SO18140.html#EKU

···

On Friday, 8 June 2018 09:21:23 UTC+2, Raphael Wanko wrote:

Hi there,

i would like to exchange the demo certificates from searchguard with certificates provided by our internal Windows Certificate Authority.

I downloaded already the TLS Offline Tool to genreate CSR requests.

Do i need to request all certificates (node, client and admin) as “WebServer Certificate”?

And then can i simpley exchange the fielnames in the config of elasticsearch and thats is, or do i have to do mor changes?

Thanks, -raphael

  • Search Guard version - 22.1
  • Elasticsearch version - 6.2.4
  • Installed and used enterprise modules, if any - none, community edition
  • JVM version - OpenJDK Runtime Environment (build 1.8.0_171-b10)
  • operating system version - CentOS Linux release 7.5.1804 (Core)
  • Search Guard configuration files -> Democonfiguration
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any - Kibana, X-Pack (Security is disabled)

The standard windows ca templates:

I created the CSR with this Configuration: https://pastebin.com/EyyPVneD

My Elasticsearch config looks like that: https://pastebin.com/G8x9rCJ7

This is one of the Node Certificates:

I get this error messages when i start elasticsearch: https://pastebin.com/BzukKcMi

Then i tried “./search-guard-6/tools/sgadmin.sh -cd /search-guard-tlstool-1.4/config/ -cacert /etc/elasticsearch/pankl-ca.pem -cert /etc/elasticsearch/sgadmin.pem -key /etc/elasticsearch/sgadmin.key -nhnv -cn pankl-elasticsearch-cluster”

but it wont get futher than tho this message:

···

Search Guard Admin v6

Will connect to localhost:9300 … done

Elasticsearch Version: 6.2.4

Search Guard Version: 6.2.4-22.1

Connected as EMAILADDRESS=warsys@pankl.com,CN=warsys,OU=IT-Admins,OU=special-users,OU=Pankl-User,DC=pankl,DC=local

Contacting elasticsearch cluster ‘pankl-elasticsearch-cluster’ and wait for YELLOW clusterstate …

And here the output of “/search-guard-tlstool-1.4/tools/sgtlsdiag.sh -es /etc/elasticsearch/elasticsearch.yml” https://pastebin.com/UHWPXpuH

so you are missing the client auth eku. ask the guys who are responsible for the corporate ssl cert signing.
maybe your templates just do not support the required eku.

···

On Friday, 8 June 2018 10:43:04 UTC+2, Raphael Wanko wrote:

And here the output of “/search-guard-tlstool-1.4/tools/sgtlsdiag.sh -es /etc/elasticsearch/elasticsearch.yml” https://pastebin.com/UHWPXpuH