Using a certificate to authenticate the Kibana Server user

Hi there,
I would like to use a certificate to authenticate the Kibana Server user, but then use basic HTTP authentication with the internal users backend for regular Kibana users (and once I’ve got that working, want to use LDAP as well). I would like to avoid storing a plain text password in the kibana.yml config file.
The certificate’s CN is kibanaserver. When I am presented with the SG login page, it makes no difference what I use as a username and password. It always authenticates me as user ‘CN=kibanaserver’.
Is there a way I can use certificate authentication only for the Kibana Server user, and then use whatever alternative authentication methods for ‘regular’ users?

I am using ES 5.5.1 with plugin v. 5.5.1-15, Kibana plugin v. 5.5.1-4.

I have this in my kibana.yml file:

elasticsearch.ssl.verificationMode: full

searchguard.basicauth.enabled: true true
searchguard.cookie.password: ‘a-random-32-character-password’
searchguard.session.ttl: 1440000000
searchguard.session.keepalive: true

server.ssl.enabled: true
server.ssl.certificate: ‘/etc/kibana/kibana.cert.pem’
server.ssl.key: ‘/etc/kibana/kibana.key.pem’

elasticsearch.ssl.certificate: ‘/etc/kibana/kibanaserver.cert.pem’
elasticsearch.ssl.key: ‘/etc/kibana/kibana.key.pem’

elasticsearch.ssl.certificateAuthorities: [ ‘/etc/kibana/ca-chain.cert.pem’ ]


And this is my authc section of sg_config.yml

    enabled: true
    order: 1
      type: clientcert
      challenge: false
      type: noop

    enabled: true
    order: 2
      type: basic
      challenge: true
      type: intern