github-mirrors/elasticsearch
1
0
Fork 0
mirror of https://github.com/elastic/elasticsearch.git synced 2025-06-28 17:34:17 -04:00
Code Issues Projects Releases Packages Wiki Activity

Remove support of creating CA on the fly when generating certificates (#65590)

Browse source 
Generating certificates with the cert sub-command now requires either: 1) a CA
to be provided with --ca or --ca-cert/--ca-key; or 2) make them self-signed
with the --self-signed option. Generating a CA on the fly is no longer
supported. The --keep-ca-key option is removed and the tool throws an error 
saying the CA needs to be generated separately if the option is specified.

This is a follow-up PR for #61884, which deprecated the "ca-on-the-fly" usage.
This commit is contained in:
Yang Wang 2020-12-16 13:54:32 +11:00 committed by GitHub
parent 937627d37a
commit b018c761e9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 97 additions and 175 deletions
Download patch file Download diff file Expand all files Collapse all files

14
docs/reference/commands/certutil.asciidoc
View file

@ -18,7 +18,7 @@ bin/elasticsearch-certutil
| (cert ([--ca <file_path>] | [--ca-cert <file_path> --ca-key <file_path>])
[--ca-dn <name>] [--ca-pass <password>] [--days <n>]
[--dns <domain_name>] [--in <input_file>] [--ip <ip_addresses>]
[--keep-ca-key] [--multiple] [--name <file_name>] [--pem] [--self-signed])
[--multiple] [--name <file_name>] [--pem] [--self-signed])
| (csr [--dns <domain_name>] [--in <input_file>] [--ip <ip_addresses>]
[--name <file_name>])
@ -79,9 +79,8 @@ cannot perform hostname verification and you might need to configure the
about this setting, see <<security-settings>>.
All certificates that are generated by this command are signed by a CA unless
the `--self-signed` parameter is specified. You can provide your own CA with the
`--ca` or `--ca-cert` and `--ca-key` parameters. Otherwise, the command automatically generates a new CA for you.
deprecated:[7.11.0,"Generating certificates without specifying a CA certificate and key is deprecated. In the next major version you must provide a CA certificate unless the `--self-signed` option is specified."]
the `--self-signed` parameter is specified. You must provide your own CA with the
`--ca` or `--ca-cert` and `--ca-key` parameters unless `--self-signed` is specified.
For more information about generating a CA, see the
<<certutil-ca,CA mode of this command>>.
To generate self-signed certificates, use the `--self-signed` parameter.
@ -90,7 +89,7 @@ By default, the `cert` mode produces a single PKCS#12 output file which holds
the instance certificate, the instance private key, and the CA certificate. If
you specify the `--pem` parameter, the command generates PEM formatted
certificates and keys and packages them into a zip file.
If you specify the `--keep-ca-key`, `--multiple` or `--in` parameters,
If you specify the `--multiple` or `--in` parameters,
the command produces a zip file containing the generated certificates and keys.
[discrete]
@ -180,9 +179,6 @@ parameter.
`--ip <IP_addresses>`:: Specifies a comma-separated list of IP addresses. This
parameter cannot be used with the `ca` parameter.
`--keep-ca-key`:: When running in `cert` mode with an automatically-generated
CA, specifies to retain the CA private key for future use.
`--keysize <bits>`::
Defines the number of bits that are used in generated RSA keys. The default
value is `2048`.
@ -305,7 +301,7 @@ parameter to specify the location of the file. For example:
[source, sh]
--------------------------------------------------
bin/elasticsearch-certutil cert --silent --in instances.yml --out test1.zip --pass testpassword --keep-ca-key
bin/elasticsearch-certutil cert --silent --in instances.yml --out test1.zip --pass testpassword --ca elastic-stack-ca.p12
--------------------------------------------------
This command generates a compressed `test1.zip` file. After you decompress the