github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-06-27 10:40:07 -04:00
Code Issues Projects Releases Packages Wiki Activity
kibana/test/interactive_setup_api_integration/fixtures
History
Spencer c8f83ed2eb
Move real plugins out of 'fixtures' dirs (#148756) 
The location of plugins was previously somewhat irrelevant, but as we
move into packages it's more important that we can find all plugins in
the repository, and we would like to be able to do that without needing
to maintain a manifest somewhere to accomplish this. In order to make
this possible we plan to find any plugin/package by spotting all
kibana.json files which are not "fixtures". This allows plugin-like code
(but not actual plugin code) to exist for testing purposes, but it must
be within some form of "fixtures" directory, and any plugin that isn't
in a fixtures directory will be automatically pulled into the system
(though test plugins, examples, etc. will still only be loaded when the
plugin's path is passed via `--plugin-path`, the system will know about
them and use that knowledge for other things).

Since this is just a rename Operations will review and merge by EOD Jan
12th unless someone has a blocking concern.

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
2023-01-12 12:38:49 -07:00
..
elasticsearch.p12 use root CA for interactive setup (#118364) 2021-11-17 17:23:24 +00:00
README.md use root CA for interactive setup (#118364) 2021-11-17 17:23:24 +00:00
test_helpers.ts Remove bluebird dependency (#118097) 2021-11-11 15:17:02 +01:00
tls_tools.ts Add API integration tests for Interactive Setup. (#111879) 2021-10-14 20:14:01 +02:00

README.md

Certificate generation

The Elasticsearch HTTP layer keystore is supposed to mimic the PKCS12 keystore that the elasticsearch startup script will auto-generate for a node. The keystore contains:

  • A PrivateKeyEntry for the node's key and certificate for the HTTP layer
  • A PrivateKeyEntry for the CA's key and certificate
  • A TrustedCertificateEntry for the CA's certificate

IMPORTANT: CA keystore (ca.p12) is not checked in intentionally, talk to @elastic/kibana-security if you need it to sign new certificates.

ROOT_CA_PATH='packages/kbn-dev-utils/certs/ca.p12'
ROOT_CA_NAME='root'
INTERMEDIATE_CA_NAME='intermediate'
INSTANCE_NAME='elasticsearch'

# Create intermediate CA
bin/elasticsearch-certutil ca --ca-dn "CN=Elastic Intermediate CA" -days 18250 --out $INTERMEDIATE_CA_NAME.p12 --pass castorepass

# Create instance certificate
bin/elasticsearch-certutil cert \
  --ca $INTERMEDIATE_CA_NAME.p12 --ca-pass castorepass --name $INSTANCE_NAME \
  --dns=localhost --dns=localhost.localdomain \
  --dns=localhost4 --dns=localhost4.localdomain4 \
  --dns=localhost6 --dns=localhost6.localdomain6 \
  --ip=127.0.0.1 --ip=0:0:0:0:0:0:0:1 \
  -days 18250 --out $INSTANCE_NAME.p12 --pass storepass

# Convert P12 keystores to PEM files
openssl pkcs12 -in $ROOT_CA_PATH -out $ROOT_CA_NAME.crt -nokeys -passin pass:castorepass -passout pass:
openssl pkcs12 -in $ROOT_CA_PATH -nocerts -passin pass:castorepass -passout pass:keypass | openssl rsa -passin pass:keypass -out $ROOT_CA_NAME.key

openssl pkcs12 -in $INTERMEDIATE_CA_NAME.p12 -out $INTERMEDIATE_CA_NAME.crt -nokeys -passin pass:castorepass -passout pass:
openssl pkcs12 -in $INTERMEDIATE_CA_NAME.p12 -nocerts -passin pass:castorepass -passout pass:keypass | openssl rsa -passin pass:keypass -out $INTERMEDIATE_CA_NAME.key

openssl pkcs12 -in $INSTANCE_NAME.p12 -out $INSTANCE_NAME.crt -clcerts -passin pass:storepass -passout pass:
openssl pkcs12 -in $INSTANCE_NAME.p12 -nocerts -passin pass:storepass -passout pass:keypass | openssl rsa -passin pass:keypass -out $INSTANCE_NAME.key

# Re-sign intermediate CA
mkdir -p ./tmp
openssl x509 -x509toreq -in $INTERMEDIATE_CA_NAME.crt -signkey $INTERMEDIATE_CA_NAME.key -out ./tmp/$INTERMEDIATE_CA_NAME.csr
dd if=/dev/urandom of=./tmp/rand bs=256 count=1
touch ./tmp/index.txt
echo "01" > ./tmp/serial
cp /System/Library/OpenSSL/openssl.cnf ./tmp/
echo "
[ tmpcnf ]
dir             = ./
certs           = ./
new_certs_dir   = ./tmp
crl_dir         = ./tmp/crl
database        = ./tmp/index.txt
unique_subject  = no
certificate     = ./$ROOT_CA_NAME.crt
serial          = ./tmp/serial
crlnumber       = ./tmp/crlnumber
crl             = ./tmp/crl.pem
private_key     = ./$ROOT_CA_NAME.key
RANDFILE        = ./tmp/rand
x509_extensions = v3_ca
name_opt        = ca_default
cert_opt        = ca_default
default_days    = 18250
default_crl_days= 30
default_md      = sha256
preserve        = no
policy          = policy_anything
" >> ./tmp/openssl.cnf

openssl ca -batch -config ./tmp/openssl.cnf -name tmpcnf -in ./tmp/$INTERMEDIATE_CA_NAME.csr -out $INTERMEDIATE_CA_NAME.crt

# Convert PEM files back to P12 keystores
cat $INTERMEDIATE_CA_NAME.key $INTERMEDIATE_CA_NAME.crt $ROOT_CA_NAME.crt | openssl pkcs12 -export -name $INTERMEDIATE_CA_NAME -passout pass:castorepass -out $INTERMEDIATE_CA_NAME.p12
cat $INSTANCE_NAME.key $INSTANCE_NAME.crt $ROOT_CA_NAME.crt $INTERMEDIATE_CA_NAME.crt | openssl pkcs12 -export -name $INSTANCE_NAME -passout pass:storepass -out $INSTANCE_NAME.p12

# Verify contents of keystores
openssl pkcs12 -info -in $INTERMEDIATE_CA_NAME.p12 -passin pass:"castorepass" -nodes
openssl pkcs12 -info -in $INSTANCE_NAME.p12 -passin pass:"storepass" -nodes

# Change the alias of the TrustedCertificateEntry so that it won't clash with the CA PrivateKeyEntry
keytool -changealias -alias ca -destalias cacert -keystore \
  $INSTANCE_NAME.p12 \
  -deststorepass "storepass"

# Import the CA PrivateKeyEntry
keytool -importkeystore \
  -srckeystore $ROOT_CA_PATH \
  -srcstorepass "castorepass" \
  -destkeystore $INSTANCE_NAME.p12 \
  -deststorepass "storepass"