From 8a4b3d7bf0dcd21ec7a4f04c044ebe2b9804b6b2 Mon Sep 17 00:00:00 2001 From: Albert Zaharovits Date: Thu, 31 May 2018 21:49:27 +0300 Subject: [PATCH] [DOCS] Clarify not all PKCS12 usable as truststores (#30750) Although elasticsearch-certutil generates PKCS#12 files which are usable as both keystore and truststore this is uncommon in practice. Settle these expectations for the users following our security guides. --- .../node-certificates.asciidoc | 2 +- .../securing-communications/tls-transport.asciidoc | 10 +++++++--- x-pack/docs/en/settings/security-settings.asciidoc | 13 +++++++++++++ 3 files changed, 21 insertions(+), 4 deletions(-) diff --git a/x-pack/docs/en/security/securing-communications/node-certificates.asciidoc b/x-pack/docs/en/security/securing-communications/node-certificates.asciidoc index cd81ffb0a02ba..38e55d87783e9 100644 --- a/x-pack/docs/en/security/securing-communications/node-certificates.asciidoc +++ b/x-pack/docs/en/security/securing-communications/node-certificates.asciidoc @@ -5,7 +5,7 @@ TLS requires X.509 certificates to perform encryption and authentication of the application that is being communicated with. In order for the communication between nodes to be truly secure, the certificates must be validated. The -recommended approach for validating certificate authenticity in a {es} cluster +recommended approach for validating certificate authenticity in an {es} cluster is to trust the certificate authority (CA) that signed the certificate. By doing this, as nodes are added to your cluster they just need to use a certificate signed by the same CA and the node is automatically allowed to join the cluster. diff --git a/x-pack/docs/en/security/securing-communications/tls-transport.asciidoc b/x-pack/docs/en/security/securing-communications/tls-transport.asciidoc index 2e20a20f907ef..c186aebbe2433 100644 --- a/x-pack/docs/en/security/securing-communications/tls-transport.asciidoc +++ b/x-pack/docs/en/security/securing-communications/tls-transport.asciidoc @@ -30,9 +30,13 @@ See <> for a description of the <2> If you created a separate certificate for each node, then you might need to customize this path on each node. If the filename matches the node name, you can use the `certs/${node.name}.p12` format, for example. -<3> The `elasticsearch-certutil` output includes the CA certificate inside the -PKCS#12 keystore, therefore the keystore can also be used as the truststore. -This name should match the `keystore.path` value. +<3> The `elasticsearch-certutil` outputs a PKCS#12 keystore which includes the +CA certificate as a trusted certificate entry. This allows for the keystore to +also be used as a truststore. In this case, the path value should match +the `keystore.path` value. +Note, however, that this is not the general rule. There are keystores that cannot be +used as trustores, only +{ref}/security-settings.html#pkcs12-truststore-note[specifically crafted ones can] -- ** If the certificate is in PEM format, add the following information to the diff --git a/x-pack/docs/en/settings/security-settings.asciidoc b/x-pack/docs/en/settings/security-settings.asciidoc index ab933cc13f7db..20983ae2aeb8e 100644 --- a/x-pack/docs/en/settings/security-settings.asciidoc +++ b/x-pack/docs/en/settings/security-settings.asciidoc @@ -1231,6 +1231,19 @@ Password to the truststore. `xpack.ssl.truststore.secure_password` (<>):: Password to the truststore. +[[pkcs12-truststore-note]] +[NOTE] +Storing trusted certificates in a PKCS#12 file, although supported, is +uncommon in practice. The {ref}/certutil.html[`elasticsearch-certutil`] tool, +as well as Java's `keytool`, are designed to generate PKCS#12 files that +can be used both as a keystore and as a truststore, but this may not be the +case for container files that are created using other tools. Usually, +PKCS#12 files only contain secret and private entries. To confirm that +a PKCS#12 container includes trusted certificate ("anchor") entries look for +`2.16.840.1.113894.746875.1.1: ` in the +`openssl pkcs12 -info` output, or `trustedCertEntry` in the +`keytool -list` output. + [[http-tls-ssl-settings]] :ssl-prefix: xpack.security.http :component: HTTP