Kibana: [docs/security] describe how to extract ca, cert & key from p12 truststore in Kibana docs

Pinging @elastic/kibana-security

There are some caveats with this approach too unfortunately. We have noticed that openssl can't export the CA certificate from the PKCS12 containers that certutil generates. The issue is that openssl won't consider a certificate in a PKCS#12 container to be a CA certificate because it has a private key associated with it. On the contrary, this is exactly how it tries to figure out if a certificate is a CA one, it selects those that do not have a private key ( https://github.com/openssl/openssl/blob/master/apps/pkcs12.c#L709 ) . It looks like this is intended behavior : https://bugzilla.redhat.com/show_bug.cgi?id=1246371#c1
We have seen this behavior with openssl versions 1.0.2h, 1.0.1g, 1.1.1, LibreSSL 2.2.7.

• This manifests when certutil is used as certutil ca to generate the CA and then trying to export the CA certificate from that (which contains only the CA cert and key).
• This doesn't manifest when certutil is used as certutil ca to generate the CA first and then used with certutil cert --ca ca.p12 to generate the certificates in the PKCS#12 (i.e. elastic-certificates.p12). The reason is that elastic-certificates.p12 doesn't contain the the CA key but only the CA cert.
• This doesn't manifest when certutil is used as certutil cert to generate the CA and the node certificates in one pass in the PKCS#12 (i.e. elastic-certificates.p12). The reason is that elastic-certificates.p12 doesn't contain the the CA key as we discard it.

So in summary the above commands work with the PKCS#12 containers that have CA cert, node cert and node key, but does not work with the PKCS#12 containers that have CA cert, CA key. In the latter case, what works is to tell openssl to treat the CA cert as a client one and export it with

openssl pkcs12 -in elasticsearch-certificates.p12 -clcerts -nokeys -out node.crt

Quick note: I think the default pk12 filename (if docs are followed) is actually elastic-certificates.p12. So the commands specified above could be changed to reflect this.
FYI I did not notice the issue that @jkakavas mentions above because I generated the CA file first using certutil ca. I did it this way because that was the order the docs specified.

Thanks @nerophon for documenting this. I used your steps above, but then needed to sort out which files to use for each setting. It might not be perfect since my kibana is on the same VM as elasticsearch.

Below is what worked for me:

server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/node.crt
server.ssl.key: /etc/kibana/certs/node.pem
server.ssl.keyPassphrase: "YourPassphraseIfEncrypted"

I describe a similar method in the following blog: https://www.elastic.co/blog/elasticsearch-security-configure-tls-ssl-pki-authentication

Private Key
openssl pkcs12 -in client.p12 -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > client.key

Public Certificate
openssl pkcs12 -in client.p12 -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > client.cer

CA Certificate
openssl pkcs12 -in client.p12 -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > client-ca.cer

@alexander-marquardt any specific reason for stripping out the PEM headers/footers ? A number of implementations ( including our own ) depend on reading the header when trying to parse keys and certificates from files. See also RFC-7468

@jkakavas - That is the way that I found that worked, after experimenting and trying to figure out how to do this. This worked when the blog was written, and I believe it should still work. I can't remember details of why I did that.

If there is a better way, then we should update the blog with it

@jkakavas - I have verified that this works correctly with the PEM headers/footers left in the certificates. I have also verified that the way that I previously documented also works correctly. However, I will update the blog to use the following.

Private Key
openssl pkcs12 -in client.p12 -nocerts -nodes > client.key
Public Certificate
openssl pkcs12 -in client.p12 -clcerts -nokeys > client.cer
CA Certificate
openssl pkcs12 -in client.p12 -cacerts -nokeys -chain > client-ca.cer

I have also verified that the way that I previously documented also works correctly.

Just to be clear - The previous format ( without the headers ) would work fine for _curl_ commands and probably in Kibana too. However if these PEM files when then used by some other client ,or the user used relevant openssl commands to create PEM certificates to be used by Elasticsearch, we could have an issue.

Thanks for taking care of this @alexander-marquardt

@nerophon can we close this?

@KOTungseth I think this is an addition that is worthwhile to kibana docs in the end of 2.b in https://www.elastic.co/guide/en/kibana/7.3/configuring-tls.html . In a "If you used elasticsearch-certutil to get a PKCS12 store for Elasticsearch, this is how you extract the CA cert as a PEM file to use with elasticsearch.ssl.certificateAuthorities" . This comes up way to often in the forums

Starting in 7.6, Kibana will support PCKS #12 certificates, so this documentation will only be requires for <= 7.5 Kibana

Closed by #54981