mirror of
https://github.com/elastic/elasticsearch.git
synced 2025-04-23 06:37:27 -04:00
65d152640b
* Set `keyUsage` for generated HTTP certificates and self-signed CA (#126376)
The `elasticsearch-certutil http` command, and security auto-configuration,
generate the HTTP certificate and CA without setting the `keyUsage` extension.
This PR fixes this by setting (by default):
- `keyCertSign` and `cRLSign` for self-signed CAs
- `digitalSignature` and `keyEncipherment` for HTTP certificates and CSRs
These defaults can be overridden when running `elasticsearch-certutil http`
command. The user will be prompted to change them as they wish.
For `elasticsearch-certutil ca`, the default value can be overridden by passing
the `--keysage` option, e.g.
```
elasticsearch-certutil ca --keyusage "digitalSignature,keyCertSign,cRLSign" -pem
```
Fixes #117769
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| certgen.asciidoc | ||
| certutil.asciidoc | ||
| cli-jvm-options.asciidoc | ||
| create-enrollment-token.asciidoc | ||
| croneval.asciidoc | ||
| index.asciidoc | ||
| keystore.asciidoc | ||
| node-tool.asciidoc | ||
| reconfigure-node.asciidoc | ||
| reset-password.asciidoc | ||
| saml-metadata.asciidoc | ||
| service-tokens-command.asciidoc | ||
| setup-passwords.asciidoc | ||
| shard-tool.asciidoc | ||
| syskeygen.asciidoc | ||
| users-command.asciidoc | ||