-
Notifications
You must be signed in to change notification settings - Fork 24.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DOCS] Add docs for verifying CA fingerprint #81279
[DOCS] Add docs for verifying CA fingerprint #81279
Conversation
Pinging @elastic/es-docs (Team:Docs) |
Pinging @elastic/es-security (Team:Security) |
@lockewritesdocs thanks for writing this up! I wonder if its common for third party clients to provide a way to validate fingerprints to treat a CA as trusted? I know for the go client code we have in Beats there is no way to do it, so we are building our own logic. Perhaps we could add a section saying that if their library doesn't support that feature, "we also store the actual CA certificate on disk in PEM format, so any client can copy this over and use it as a trust anchor as it would do today." (Quoting @jkakavas since I am not an expert at how to do this). |
@mostlyjason, I added a section describing this scenario in 7513339. Let me know if there's further clarification needed! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would suggest that we add to subsections:
Using the CA fingerprint
Using the CA certificate
That makes it clearer in my view that these are equivalent, that the latter is not problematic in any way or a "only do this if the above failed, or if you can't make it work" but a proper way to configure the trust relationship with the elasticsearch cluster too
Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>
++ I'm going to add separate sections in my next commit 👍 |
@elasticmachine run elasticsearch-ci/docs skiplinkcheck |
@elasticmachine update branch |
@elasticmachine update branch |
💚 Backport successful
|
* [DOCS] Add docs for verifying CA fingerprint * Update openssl command and explanatory text * Explain copying CA cert if fingerprint validation isn't possible * Incorporate new section into the main security config page * Clarify how cert is used Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com> * Split into two, separate sections * Rename file and update text based on feedback * Update ref to use new filename * Remove extra word Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* [DOCS] Add docs for verifying CA fingerprint * Update openssl command and explanatory text * Explain copying CA cert if fingerprint validation isn't possible * Incorporate new section into the main security config page * Clarify how cert is used Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com> * Split into two, separate sections * Rename file and update text based on feedback * Update ref to use new filename * Remove extra word Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Adds a section in the installation docs for how clients can verify the fingerprint of the Elasticsearch security certificate.
Preview link: https://elasticsearch_81279.docs-preview.app.elstc.co/guide/en/elasticsearch/reference/master/targz.html#_connect_clients_to_elasticsearch
Relates to elastic/clients-team#423