I saw there are two type of certificate which is elastic-stack-ca.p12 and elastic-certificates.p12. What are the differences between these two certificate.
https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup.html#generate-certificates
Also I noticed we have HTTP certificate
https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup-https.html#encrypt-http-communication
why there are so many certificate.
If I want to send data from beats which certificate should be used? I saw it need .cer and .key
can someone help me to understand this.
You need both, and each one has a specific role.
***ca.p12 is the certificate to the new Certificate Autohirity which is created since Elastic certificated is auto assigned.
***certificate.p12 is the certificate to each single instance of your elasticsearch cluster.
I would recommend you to follow the steps here https://www.elastic.co/guide/en/elasticsearch/reference/current/security-basic-setup.html
Source:
https://www.elastic.co/guide/en/elasticsearch/reference/current/certutil.html#certutil-ca
ca.p12 -> CA Mode
The ca mode generates a new certificate authority (CA). By default, it produces a single PKCS#12 output file, which holds the CA certificate and the private key for the CA. If you specify the --pem parameter, the command generates a zip file, which contains the certificate and private key in PEM format.
certificates.p12 -> Cert Mode
The cert mode generates X.509 certificates and private keys. By default, it produces a single certificate and key for use on a single instance.
To generate certificates and keys for multiple instances, specify the --multiple parameter, which prompts you for details about each instance. Alternatively, you can use the --in parameter to specify a YAML file that contains details about the instances.
Related
I received five files representing a certificate for a specific domain.
AAACertificateServices.crt
TrustedSecureCertificateAuthority5.crt
USERTrustRSAAAACA.crt
private.key
public.crt
I want to import this certificate using AWS Certificate Manager, but it fails with the message that the private key does not match.
I found under https://stackoverflow.com/a/14491157 the method to convert the key to PEM format, but that's probably not enough. What to do with the chain and the public.crt?
I'm trying to use okhttp to authenticate to a server.
With curl it would be done this way:
curl \
--cert certificate.cer \
--key private-key.pkcs8 \
"https://some-url"
Unfortunately, okhttp-tls appears to always expect a chain of certificates in addition to the held certificate, which isn't something I have.
heldCertificate expects the chain of certificates, in addition to the clientCertificate, contrary to the example provided in the reame:
HandshakeCertificates clientCertificates = new HandshakeCertificates.Builder()
.addTrustedCertificate(rootCertificate.certificate())
.heldCertificate(clientCertificate) // <--------------------
.build();
How can I use okhttp with a single certificate and my private key?
heldCertificates expects a chain of intermediates that may exist between the client certificate (matching the private key) and up to but not including the root CA that the server is known to trust. So this could be left out if no other certificates are required.
See https://square.github.io/okhttp/4.x/okhttp-tls/okhttp3.tls/-handshake-certificates/-builder/held-certificate/
Configure the certificate chain to use when being authenticated. The
first certificate is the held certificate, further certificates are
included in the handshake so the peer can build a trusted path to a
trusted root certificate.
The chain should include all intermediate certificates but does not
need the root certificate that we expect to be known by the remote
peer. The peer already has that certificate so transmitting it is
unnecessary.
Here are some examples for using a self-signed certificate if known to be trusted already by the server, and also for switching the key used based on the host being connected to. You will need to adapt these based on your exact setup, but they should give you a starting point to test with.
https://github.com/square/okhttp/pull/6470/files
When an application optionally allows you to specify a certificate which represents a certificate authority, what is that doing?
Does that basically set that cert as a "trusted" certificate?
Specific example:
Kibana communicates with elasticsearch. When you configure kibana, you can set the following configuration value:
elasticsearch.ssl.ca
The documentation says this value is an "Optional setting that enables you to specify a path to the PEM file for the certificate authority for your Elasticsearch instance." (source)
Within that same config you're also specifying a certificate and key that can be used for communication with the elasticsearch instance.
If the setting is optional it means that the default behaviour is to use the system Root CAs to validate the SSL Server certificate used by your Elasticsearch instance. If you used a standard commercial SSL Server certificate this should be enough.
Yes, you are setting that certificate as a Root CA but only for this application.
Using the setting you can specify the Root CA used to generated the SSL Server certificate. This is useful if you:
use a selfsigned certificate
use a Root CA that is not available in the system Root CA repository
need to have stringent security settings limiting subset of Root CAs trusted by your application.
Keychain access - >certificate assistant -> request a certificate from a certificate authority -> save to disk -> save as .certSigningequest
Does not generate a public/private key chain, when I go to keys.
How do I solve this, thanks
Request a certificate from a certificate authority creates a Certificate Signing Request, not a public/private key chain. It will create the private key and store it in your key chain (as you named it), but the purpose of that command is to allow you to request a full X.509 certificate from an external Certificate Authority.
If you need to create just a public/private key pair, then it depends a bit on what you are planning on using it for. For example, you can create an SSH public/private key pair by using ssh-keygen.
Similarly, you can create an RSA public/private key pair using the commands from this answer from the security forum.
If, on the other hand, you're actually trying to create your own certificates, not just the public/private key pair, you can use Keychain Access to create a self-signed certificate using the Create a Certificate command. That will contain the signature of your self-signed CA and the public key.
Is there a way to check a certificate is signed by a given root certificate using SecureTransport API similar to OpenSSL X509_verify?
On OS X, the API to create and manipulate certificates is the Certificate, Key, and Trust Services:
Certificate, Key, and Trust Services is a C API for managing
certificates, public and private keys, symmetric keys, and trust
policies in iOS and OS X. You can use these services in your app to:
Create certificates and asymmetric keys
Add certificates and keys to
keychains, remove them from keychains, and use keys to encrypt and
decrypt data
Retrieve information about a certificate, such as the
private key associated with it, the owner, and so on
Convert
certificates to and from portable representations
Create and
manipulate trust policies and evaluate a specific certificate using a
specified set of trust policies
Add anchor certificates
See for example:
SecTrustCreateWithCertificates - Creates a trust management object based on certificates and policies.
SecTrustEvaluate - Evaluates trust for the specified certificate and policies.
SecTrustSetAnchorCertificates - Sets the anchor certificates used when evaluating a trust management object.