[DOCS] Adds instructions to extract files from a .p12 keystore

[mellieA]

[skip-ci]
closes #26414

Added section with commands to extract .crt, .key, and .pem from a .p12 keystore generated by elasticsearch-certutil. This only applies to 7.5 and older, 7.6 will support using the .p12 file intact.

[elasticmachine]

Pinging @elastic/kibana-docs (Team:Docs)

[mellieA]

The docs preview is available here

[jportner]

Suggested change

	from the keystore.
	from the keystore in PEM format.

[jportner]

Suggested change

	openssl pkcs12 -in elastic-certificates.p12 -nocerts -out cacert.pem
	openssl pkcs12 -in elastic-certificates.p12 -cacerts -nokeys -out ca.crt

[jportner]

Note: the extension doesn't particularly matter, but pem is more generic than crt.

[jkakavas]

Agreed that the extension doesn't make a difference, but I think we should be consistent and use pem or crt in both cases , ca and server ( I slightly prefer crt since this is what we use in most places in our docs for PEM encoded certificate files )

[jkakavas]

I think that the way this is written now conflates two possibilities and makes assumptions for the user setup. The assumption is that the user has used elasticsearch-certutil to generate a PKCS#12 that contains a key and certificate pair that will be used both for Elasticsearch's HTTP layer and for Kibana Server. This most probably/usually not the case.

Could we split these up?

• One section that explains how to get the cacert.crt from the Elasticsearch's PKCS#12 so that it can be used for elasticsearch.ssl.certificateAuthorities:
• One section that explains that elasticsearch-certutil can also be used to generate a new certificate / key pair that can be used for the Kibana server ( server.ssl.key and server.ssl.certificate ). This could be an invocation of elasticsearch-certutil cert with the --pem flag so that the files will be created directly in PEM Format and users won't have to export them from a PKCS#12 container. i.e.

  bin/elasticsearch-certutil cert --pem --dns <kibana_hostname>
  

As a side-note, I think we haven't been suggesting elasticsearch-certutil for kibana certificates generation so far. The assumption is that since kibana is user facing the browsers would need to trust that certificate and users should get the certificate signed by a trusted CA ( instead of a self-generated one ). I don't have anything against adding an example with elasticsearch-certutil (or openssl req -x509 -newkey rsa:4096 -nodes -keyout server.key -out server.crt for that matter ) but we could make a note that this won't be trusted by the users browsers.

[jkakavas]

Agreed that the extension doesn't make a difference, but I think we should be consistent and use pem or crt in both cases , ca and server ( I slightly prefer crt since this is what we use in most places in our docs for PEM encoded certificate files )

[mellieA]

@jkakavas @jportner

I reviewed our updated 7.6 documentation for these sections. In that version, we document support for .p12 keystores and using elasticsearch-certutil to create certficates for Kibana.

Encrypting traffic between Kibana and the browser
Mutual TLS authentication between Kibana and Elasticsearch

Since this new section will only apply to pre-7.6 versions, would it make sense to only add the instructions to extract the CA certificate to be used for elasticsearch.ssl.certificateAuthorities?

[jportner]

Sorry, I had started writing a response but got pulled to something else.

As a side-note, I think we haven't been suggesting elasticsearch-certutil for kibana certificates generation so far. The assumption is that since kibana is user facing the browsers would need to trust that certificate and users should get the certificate signed by a trusted CA ( instead of a self-generated one ). I don't have anything against adding an example with elasticsearch-certutil (or openssl req -x509 -newkey rsa:4096 -nodes -keyout server.key -out server.crt for that matter ) but we could make a note that this won't be trusted by the users browsers.

@jkakavas I think this is a misunderstanding and it's partially my fault.

I added PKCS#12 support in #53810, and I updated the docs accordingly (as @mellieA referenced). One TBD comment in the docs asked for an example to generate the Kibana server certificate using elasticsearch-certutil, and I took it too literally. I wrote an example using the cert command, when I should have written it with the csr command as you alluded here.

How about I submit a PR to rewrite that section for 7.6+, and then we can revisit this PR for previous versions?

[mellieA]

Oh! That makes sense. I saw those same comments too. That was the reason I decided to add a link in that section about elasticsearch-certutil.

You're right, I think what you decide to document for 7.6 will influence what we should do here.

[jportner]

You're right, I think what you decide to document for 7.6 will influence what we should do here.

Excellent, I added an issue here: #55112

If I don't get to this today, I will do it first thing next week.

[lcawl]

FYI In case you're interested in previewing the changes to this section of the docs for the new elasticsearch-certutil http command (in 7.6+), see #55357 Just mentioning in case your changes will ultimately affect master

[mellieA]

@jportner graciously provided a draft to make this consistent with the updates he made in #55112. I updated and committed the changes. Please review.

[jportner]

LGTM on behalf of the Security team!

[gchaps]

Format https://<your_kibana_host>.com so it doesn't show up as a link.

[jkakavas]

LGTM

[elasticmachine]

user doesn't have permission to update head repository