use root CA for interactive setup (#118364) (#118905)

* use root CA for interactive setup * Use intermediate CA for end-to-end test * Align setup CLI enrollment token param with ES * Add CA private key to certificate Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Thom Heymann <190132+thomheymann@users.noreply.github.com>
2025-04-23 17:28:26 -04:00 · 2021-11-17 13:55:46 -05:00 · 2021-11-17 13:55:46 -05:00 · f537c11b86
commit f537c11b86
parent d4d1f86589
4 changed files with 79 additions and 20 deletions
--- a/src/cli_setup/cli_setup.ts
+++ b/src/cli_setup/cli_setup.ts
@ -33,7 +33,7 @@ program
  .description(
    'This command walks you through all required steps to securely connect Kibana with Elasticsearch'
  )
-  .option('-t, --token <token>', 'Elasticsearch enrollment token')
+  .option('-t, --enrollment-token <token>', 'Elasticsearch enrollment token')
  .option('-s, --silent', 'Prevent all logging');

 program.parse(process.argv);
@ -82,9 +82,9 @@ async function initCommand() {
  } catch (error) {
    if (!options.silent) {
      spinner.fail(
-        `${chalk.bold('Unable to enroll with Elasticsearch:')} ${chalk.red(
-          `${getDetailedErrorMessage(error)}`
-        )}`
+        `${chalk.bold(
+          'Unable to connect to Elasticsearch with the provided enrollment token:'
+        )} ${chalk.red(`${getDetailedErrorMessage(error)}`)}`
      );
    }
    logger.error('');
--- a/src/plugins/interactive_setup/public/cluster_configuration_form.tsx
+++ b/src/plugins/interactive_setup/public/cluster_configuration_form.tsx
@ -258,9 +258,9 @@ export const ClusterConfigurationForm: FunctionComponent<ClusterConfigurationFor
              value="true"
              checked={!!form.values.caCert}
              onChange={() => {
-                const intermediateCa = certificateChain[Math.min(1, certificateChain.length - 1)];
+                const rootCa = certificateChain[certificateChain.length - 1];
                form.setTouched('caCert');
-                form.setValue('caCert', form.values.caCert ? '' : intermediateCa.raw);
+                form.setValue('caCert', form.values.caCert ? '' : rootCa.raw);
              }}
            >
              <CertificateChain certificateChain={certificateChain} />
--- a/test/interactive_setup_api_integration/fixtures/README.md
+++ b/test/interactive_setup_api_integration/fixtures/README.md
@ -6,27 +6,86 @@ The Elasticsearch HTTP layer keystore is supposed to mimic the PKCS12 keystore t
 - A PrivateKeyEntry for the CA's key and certificate
 - A TrustedCertificateEntry for the CA's certificate

+__IMPORTANT:__ CA keystore (ca.p12) is not checked in intentionally, talk to @elastic/kibana-security if you need it to sign new certificates.
+
 ```bash
-$ES_HOME/bin/elasticsearch-certutil cert \
-  --out $KIBANA_HOME/test/interactive_setup_api_integration/fixtures/elasticsearch.p12 \
-  --ca $KIBANA_HOME/packages/kbn-dev-utils/certs/ca.p12 --ca-pass "castorepass" --pass "storepass" \
-  --dns=localhost --dns=localhost.localdomain --dns=localhost4 --dns=localhost4.localdomain4 \
+ROOT_CA_PATH='packages/kbn-dev-utils/certs/ca.p12'
+ROOT_CA_NAME='root'
+INTERMEDIATE_CA_NAME='intermediate'
+INSTANCE_NAME='elasticsearch'
+
+# Create intermediate CA
+bin/elasticsearch-certutil ca --ca-dn "CN=Elastic Intermediate CA" -days 18250 --out $INTERMEDIATE_CA_NAME.p12 --pass castorepass
+
+# Create instance certificate
+bin/elasticsearch-certutil cert \
+  --ca $INTERMEDIATE_CA_NAME.p12 --ca-pass castorepass --name $INSTANCE_NAME \
+  --dns=localhost --dns=localhost.localdomain \
+  --dns=localhost4 --dns=localhost4.localdomain4 \
  --dns=localhost6 --dns=localhost6.localdomain6 \
-  --ip=127.0.0.1 --ip=0:0:0:0:0:0:0:1
-```
+  --ip=127.0.0.1 --ip=0:0:0:0:0:0:0:1 \
+  -days 18250 --out $INSTANCE_NAME.p12 --pass storepass

-Change the alias of the TrustedCertificateEntry so that it won't clash with the CA PrivateKeyEntry
-```bash
+# Convert P12 keystores to PEM files
+openssl pkcs12 -in $ROOT_CA_PATH -out $ROOT_CA_NAME.crt -nokeys -passin pass:castorepass -passout pass:
+openssl pkcs12 -in $ROOT_CA_PATH -nocerts -passin pass:castorepass -passout pass:keypass | openssl rsa -passin pass:keypass -out $ROOT_CA_NAME.key
+
+openssl pkcs12 -in $INTERMEDIATE_CA_NAME.p12 -out $INTERMEDIATE_CA_NAME.crt -nokeys -passin pass:castorepass -passout pass:
+openssl pkcs12 -in $INTERMEDIATE_CA_NAME.p12 -nocerts -passin pass:castorepass -passout pass:keypass | openssl rsa -passin pass:keypass -out $INTERMEDIATE_CA_NAME.key
+
+openssl pkcs12 -in $INSTANCE_NAME.p12 -out $INSTANCE_NAME.crt -clcerts -passin pass:storepass -passout pass:
+openssl pkcs12 -in $INSTANCE_NAME.p12 -nocerts -passin pass:storepass -passout pass:keypass | openssl rsa -passin pass:keypass -out $INSTANCE_NAME.key
+
+# Re-sign intermediate CA
+mkdir -p ./tmp
+openssl x509 -x509toreq -in $INTERMEDIATE_CA_NAME.crt -signkey $INTERMEDIATE_CA_NAME.key -out ./tmp/$INTERMEDIATE_CA_NAME.csr
+dd if=/dev/urandom of=./tmp/rand bs=256 count=1
+touch ./tmp/index.txt
+echo "01" > ./tmp/serial
+cp /System/Library/OpenSSL/openssl.cnf ./tmp/
+echo "
+[ tmpcnf ]
+dir             = ./
+certs           = ./
+new_certs_dir   = ./tmp
+crl_dir         = ./tmp/crl
+database        = ./tmp/index.txt
+unique_subject  = no
+certificate     = ./$ROOT_CA_NAME.crt
+serial          = ./tmp/serial
+crlnumber       = ./tmp/crlnumber
+crl             = ./tmp/crl.pem
+private_key     = ./$ROOT_CA_NAME.key
+RANDFILE        = ./tmp/rand
+x509_extensions = v3_ca
+name_opt        = ca_default
+cert_opt        = ca_default
+default_days    = 18250
+default_crl_days= 30
+default_md      = sha256
+preserve        = no
+policy          = policy_anything
+" >> ./tmp/openssl.cnf
+
+openssl ca -batch -config ./tmp/openssl.cnf -name tmpcnf -in ./tmp/$INTERMEDIATE_CA_NAME.csr -out $INTERMEDIATE_CA_NAME.crt
+
+# Convert PEM files back to P12 keystores
+cat $INTERMEDIATE_CA_NAME.key $INTERMEDIATE_CA_NAME.crt $ROOT_CA_NAME.crt | openssl pkcs12 -export -name $INTERMEDIATE_CA_NAME -passout pass:castorepass -out $INTERMEDIATE_CA_NAME.p12
+cat $INSTANCE_NAME.key $INSTANCE_NAME.crt $ROOT_CA_NAME.crt $INTERMEDIATE_CA_NAME.crt | openssl pkcs12 -export -name $INSTANCE_NAME -passout pass:storepass -out $INSTANCE_NAME.p12
+
+# Verify contents of keystores
+openssl pkcs12 -info -in $INTERMEDIATE_CA_NAME.p12 -passin pass:"castorepass" -nodes
+openssl pkcs12 -info -in $INSTANCE_NAME.p12 -passin pass:"storepass" -nodes
+
+# Change the alias of the TrustedCertificateEntry so that it won't clash with the CA PrivateKeyEntry
 keytool -changealias -alias ca -destalias cacert -keystore \
-  $KIBANA_HOME/test/interactive_setup_api_integration/fixtures/elasticsearch.p12 \
+  $INSTANCE_NAME.p12 \
  -deststorepass "storepass"
-```

-Import the CA PrivateKeyEntry
-```bash
+# Import the CA PrivateKeyEntry
 keytool -importkeystore \
-  -srckeystore $KIBANA_HOME/packages/kbn-dev-utils/certs/ca.p12 \
+  -srckeystore $ROOT_CA_PATH \
  -srcstorepass "castorepass" \
-  -destkeystore $KIBANA_HOME/test/interactive_setup_api_integration/fixtures/elasticsearch.p12 \
+  -destkeystore $INSTANCE_NAME.p12 \
  -deststorepass "storepass"
 ```
--- a/test/interactive_setup_api_integration/fixtures/elasticsearch.p12
+++ b/test/interactive_setup_api_integration/fixtures/elasticsearch.p12