github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-06-27 18:51:07 -04:00
Code Issues Projects Releases Packages Wiki Activity
kibana/packages/kbn-dev-utils/certs
History
Patryk Kopyciński 5dedc992a1
[osquery] Setup E2E against Serverless ES, Kibana, Fleet server standalone and Elastic agents in Docker (#165415) 
## Summary

Let's automate E2E against Serverless

Changelog:
- updated certs to include additional dns names we are using for testing
locally, `host.docker.internal`, `es01`
- updated certs generation README to include changes related to
`openssl@3`
- added new certs for Fleet server
- added fleet-server service token
- added support for `ca_trusted_fingerprint` in fleet preconfig


![image](64860344-184f-45ef-99d4-dd7a5a8d6d23)

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Tomasz Ciecierski <ciecierskitomek@gmail.com>
Co-authored-by: Tomasz Ciecierski <tomasz.ciecierski@elastic.co>
Co-authored-by: Kevin Logan <kevin.logan@elastic.co>
2023-09-29 03:33:06 -07:00
..
ca.crt [osquery] Setup E2E against Serverless ES, Kibana, Fleet server standalone and Elastic agents in Docker (#165415) 2023-09-29 03:33:06 -07:00
elasticsearch.crt [osquery] Setup E2E against Serverless ES, Kibana, Fleet server standalone and Elastic agents in Docker (#165415) 2023-09-29 03:33:06 -07:00
elasticsearch.key [osquery] Setup E2E against Serverless ES, Kibana, Fleet server standalone and Elastic agents in Docker (#165415) 2023-09-29 03:33:06 -07:00
elasticsearch.p12 [osquery] Setup E2E against Serverless ES, Kibana, Fleet server standalone and Elastic agents in Docker (#165415) 2023-09-29 03:33:06 -07:00
elasticsearch_emptypassword.p12 [osquery] Setup E2E against Serverless ES, Kibana, Fleet server standalone and Elastic agents in Docker (#165415) 2023-09-29 03:33:06 -07:00
elasticsearch_nopassword.p12 [osquery] Setup E2E against Serverless ES, Kibana, Fleet server standalone and Elastic agents in Docker (#165415) 2023-09-29 03:33:06 -07:00
fleet_server.crt [osquery] Setup E2E against Serverless ES, Kibana, Fleet server standalone and Elastic agents in Docker (#165415) 2023-09-29 03:33:06 -07:00
fleet_server.key [osquery] Setup E2E against Serverless ES, Kibana, Fleet server standalone and Elastic agents in Docker (#165415) 2023-09-29 03:33:06 -07:00
fleet_server.p12 [osquery] Setup E2E against Serverless ES, Kibana, Fleet server standalone and Elastic agents in Docker (#165415) 2023-09-29 03:33:06 -07:00
kibana.crt [osquery] Setup E2E against Serverless ES, Kibana, Fleet server standalone and Elastic agents in Docker (#165415) 2023-09-29 03:33:06 -07:00
kibana.key [osquery] Setup E2E against Serverless ES, Kibana, Fleet server standalone and Elastic agents in Docker (#165415) 2023-09-29 03:33:06 -07:00
kibana.p12 [osquery] Setup E2E against Serverless ES, Kibana, Fleet server standalone and Elastic agents in Docker (#165415) 2023-09-29 03:33:06 -07:00
README.md [osquery] Setup E2E against Serverless ES, Kibana, Fleet server standalone and Elastic agents in Docker (#165415) 2023-09-29 03:33:06 -07:00

README.md

Development certificates

Kibana includes several development certificates to enable easy setup of TLS-encrypted communications with Elasticsearch.

Note: these certificates should never be used in production.

Certificate information

Certificates and keys are provided in multiple formats. These can be used by other packages to set up a new Elastic Stack with Kibana and Elasticsearch. The Certificate Authority (CA) private key is intentionally omitted from this package.

PEM

  • ca.crt -- A PEM-formatted X.509 certificate that is used as a CA.
  • elasticsearch.crt -- A PEM-formatted X.509 certificate and public key for Elasticsearch.
  • elasticsearch.key -- A PEM-formatted PKCS #1 private key for Elasticsearch.
  • kibana.crt -- A PEM-formatted X.509 certificate and public key for Kibana.
  • kibana.key -- A PEM-formatted PKCS #1 private key for Kibana.

PKCS #12

  • elasticsearch.p12 -- A PKCS #12 encrypted key store / trust store that contains ca.crt, elasticsearch.crt, and a PKCS #8 encrypted version of elasticsearch.key.
  • kibana.p12 -- A PKCS #12 encrypted key store / trust store that contains ca.crt, kibana.crt, and a PKCS #8 encrypted version of kibana.key.

The password used for both of these is "storepass". Other copies are also provided for testing purposes:

  • elasticsearch_emptypassword.p12 -- The same PKCS #12 key store, encrypted with an empty password.
  • elasticsearch_nopassword.p12 -- The same PKCS #12 key store, not encrypted with a password.

Certificate generation

Elasticsearch cert-util and OpenSSL were used to generate these certificates. The following commands were used from the root directory of Elasticsearch:

IMPORTANT: CA keystore (ca.p12) is not checked in intentionally, talk to @elastic/kibana-security if you need it to sign new certificates.

# Generate the PKCS #12 keystore for a CA, valid for 50 years
bin/elasticsearch-certutil ca --out ca.p12 -days 18250 --pass castorepass

# Generate the PKCS #12 keystore for Elasticsearch and sign it with the CA
bin/elasticsearch-certutil cert --out elasticsearch.p12 -days 18250 --ca ca.p12 --ca-pass castorepass --name elasticsearch --dns localhost,host.docker.internal,es01,es02,es03 --pass storepass

# Generate the PKCS #12 keystore for Kibana and sign it with the CA
bin/elasticsearch-certutil cert --out kibana.p12 -days 18250 --ca ca.p12 --ca-pass castorepass --name kibana --dns localhost,host.docker.internal,es01,es02,es03 --pass storepass

# Generate the PKCS #12 keystore for Fleet Server and sign it with the CA
bin/elasticsearch-certutil cert --out fleet_server.p12 -days 18250 --ca ca.p12 --ca-pass castorepass --name fleet_server --dns localhost,host.docker.internal,es01,es02,es03 --pass storepass

# Copy the PKCS #12 keystore for Elasticsearch with an empty password
openssl pkcs12 -in elasticsearch.p12 -nodes -passin pass:"storepass" -passout pass:"" | openssl pkcs12 -export -legacy -out elasticsearch_emptypassword.p12 -passout pass:""

# Manually create "elasticsearch_nopassword.p12" -- this can be done on macOS by importing the P12 key store into the Keychain and exporting it again

# Extract the PEM-formatted X.509 certificate for the CA
openssl pkcs12 -in elasticsearch.p12 -out ca.crt -cacerts -passin pass:"storepass" -passout pass:

# Extract the PEM-formatted PKCS #1 private key for Elasticsearch
openssl pkcs12 -in elasticsearch.p12 -nocerts -passin pass:"storepass" -passout pass:"keypass" | openssl rsa -passin pass:keypass -out elasticsearch.key -traditional

# Extract the PEM-formatted X.509 certificate for Elasticsearch
openssl pkcs12 -in elasticsearch.p12 -out elasticsearch.crt -clcerts -passin pass:"storepass" -passout pass:

# Extract the PEM-formatted PKCS #1 private key for Kibana
openssl pkcs12 -in kibana.p12 -nocerts -passin pass:"storepass" -passout pass:"keypass" | openssl rsa -passin pass:keypass -out kibana.key -traditional

# Extract the PEM-formatted X.509 certificate for Kibana
openssl pkcs12 -in kibana.p12 -out kibana.crt -clcerts -passin pass:"storepass" -passout pass:

# Extract the PEM-formatted PKCS #1 private key for Fleet Server
openssl pkcs12 -in fleet_server.p12 -nocerts -passin pass:"storepass" -passout pass:"keypass" | openssl rsa -passin pass:keypass -out fleet_server.key -traditional

# Extract the PEM-formatted X.509 certificate for Fleet Server
openssl pkcs12 -in fleet_server.p12 -out fleet_server.crt -clcerts -passin pass:"storepass" -passout pass: