[DOCS] Add docs for verifying CA fingerprint #81279
Conversation
lockewritesdocs
added
>docs
|
Pinging @elastic/es-docs (Team:Docs) |
|
Pinging @elastic/es-security (Team:Security) |
|
@lockewritesdocs thanks for writing this up! I wonder if its common for third party clients to provide a way to validate fingerprints to treat a CA as trusted? I know for the go client code we have in Beats there is no way to do it, so we are building our own logic. Perhaps we could add a section saying that if their library doesn't support that feature, "we also store the actual CA certificate on disk in PEM format, so any client can copy this over and use it as a trust anchor as it would do today." (Quoting @jkakavas since I am not an expert at how to do this). |
@mostlyjason, I added a section describing this scenario in 7513339. Let me know if there's further clarification needed! |
There was a problem hiding this comment.
I would suggest that we add to subsections:
Using the CA fingerprint
Using the CA certificate
That makes it clearer in my view that these are equivalent, that the latter is not problematic in any way or a "only do this if the above failed, or if you can't make it work" but a proper way to configure the trust relationship with the elasticsearch cluster too
Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>
++ I'm going to add separate sections in my next commit 👍 |
|
@elasticmachine run elasticsearch-ci/docs skiplinkcheck |
|
@elasticmachine update branch |
|
@elasticmachine update branch |
💚 Backport successful
|
* [DOCS] Add docs for verifying CA fingerprint * Update openssl command and explanatory text * Explain copying CA cert if fingerprint validation isn't possible * Incorporate new section into the main security config page * Clarify how cert is used Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com> * Split into two, separate sections * Rename file and update text based on feedback * Update ref to use new filename * Remove extra word Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
* [DOCS] Add docs for verifying CA fingerprint * Update openssl command and explanatory text * Explain copying CA cert if fingerprint validation isn't possible * Incorporate new section into the main security config page * Clarify how cert is used Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com> * Split into two, separate sections * Rename file and update text based on feedback * Update ref to use new filename * Remove extra word Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Adds a section in the installation docs for how clients can verify the fingerprint of the Elasticsearch security certificate.
Preview link: https://elasticsearch_81279.docs-preview.app.elstc.co/guide/en/elasticsearch/reference/master/targz.html#_connect_clients_to_elasticsearch
Relates to elastic/clients-team#423