From 56dfb4f2eeff84074cee858db1099e2ee164d0d5 Mon Sep 17 00:00:00 2001 From: Kuni Sen Date: Fri, 29 Aug 2025 15:42:41 +0900 Subject: [PATCH 1/8] Clarify adminconsole certs --- .../manage-security-certificates.md | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md b/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md index 52318315ee..a823d35863 100644 --- a/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md +++ b/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md @@ -60,6 +60,19 @@ The PEM file should be structured like this: Each key and certificate would be generated by you or your IT team. +::::{note} +{{ece}} expects to have private key start with a header of `-----BEGIN RSA PRIVATE KEY-----`. If your private key starts with a different header, for example, `-----BEGIN PRIVATE KEY-----` (no `RSA`), you will get error: + +```json +{ + "code" : "cert.invalid_cert_chain", + "message" : "Certificate chain was invalid [Invalid Entry: expected unencrypted rsa private key (is start of file corrupted?)]" +} +``` + +We recommend you to review your certificate generating tool related documentation for how to obtain the ECE expected hearder for your private key. For example, if you use OpenSSL to generate your private key, you can use `-traditional` option. +:::: + ## Get existing ECE security certificates [ece-existing-security-certificates] @@ -295,6 +308,36 @@ To add a proxy certificate from the command line: openssl s_client -CAfile CA_CERTIFICATE_FILENAME -showcerts -connect HOSTNAME_OR_IP:9343 < /dev/zero ``` +## Add an Adminconsole certificate [ece-tls-adminconsole] + +::::{note} +In {{ece}}, this certificate is treated identically to the [Cloud UI certificate](#ece-tls-ui). You can use the same certificate bundle generated for Cloud UI. +:::: + +To add an Adminconsole certificate from the Cloud UI: + +1. [Log into the Cloud UI](../../deploy/cloud-enterprise/log-into-cloud-ui.md). +2. From the **Platform** menu, select **Settings**. +3. Under **TLS settings** for the Adminconsole, choose **Upload new certificate** and select a concatenated file containing your RSA private key, server certificate, and CA certificate. Upload the selected file. + +To get the details of the certificate you added, select **Show certificate chain**. + +To add an Adminconsole certificate from the command line: + +1. Add the certificate for the Adminconsole to your {{ece}} installation, where `CA_CERTIFICATE_FILENAME` is the name of the CA certificate you downloaded earlier and `ADMINCONSOLE_PEM_FILENAME` is the name of the concatenated file containing your RSA private key, server certificate, and CA certificate: + + ``` + curl --cacert CA_CERTIFICATE_FILENAME -H 'Content-Type: application/json' --data-binary @ADMINCONSOLE_PEM_FILENAME --user "admin:PASSWORD" "https://admin:12443/api/v1/platform/configuration/security/tls/adminconsole" + ``` + +2. Log out of the Cloud UI and log in again. +3. Verify that you are now using the new certificate chain. There should be no security warnings when you connect to the Cloud UI over HTTPS in your web browser. + + Alternatively, you can also check the certificate using the openssl command: + + ``` + openssl s_client -CAfile CA_CERTIFICATE_FILENAME -showcerts -connect containerhost:12343 < /dev/zero + ``` ## Limitations [ece-tls-limitations] From 4692d93d8027c25b54e28020915c1a5e8e6fb640 Mon Sep 17 00:00:00 2001 From: Kuni Sen Date: Tue, 2 Sep 2025 17:20:32 +0900 Subject: [PATCH 2/8] Update manage-security-certificates.md Adding a note to solve https://github.com/elastic/docs-content/pull/2754#issuecomment-3244276460 --- .../manage-security-certificates.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md b/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md index a823d35863..05e4ab9d81 100644 --- a/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md +++ b/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md @@ -17,7 +17,7 @@ In these instructions, we show you how you can download the security certificate You can change the certificates for the following ECE components separately: Cloud UI certificate -: Used to connect securely to the Cloud UI and to make RESTful API calls. +: Used to connect securely to the Cloud UI. Proxy certificate : Used to connect securely to {{es}} clusters and {{kib}}. You should use a wildcard certificate rooted at the [cluster endpoint that you set](../../deploy/cloud-enterprise/change-endpoint-urls.md) (`*.example.com`, for example). A wildcard certificate is required, because the first label of the DNS address is distinct for {{es}} clusters and {{kib}} (`bc898abb421843918ebc31a513169a.example.com`, for example). @@ -31,6 +31,9 @@ Proxy certificate After the certificates have been installed, connecting securely to {{es}}, {{kib}}, and the Cloud UI or making secure RESTful API calls to ECE should not result in any security warnings or errors. +Adminconsole certificate +: Used to connect securely to make RESTful API calls. + ## Before you begin [ece_before_you_begin_7] From 4b078722a7528ec539a476a30e1774c253626d0f Mon Sep 17 00:00:00 2001 From: Kuni Sen <30574753+kunisen@users.noreply.github.com> Date: Tue, 2 Sep 2025 17:31:28 +0900 Subject: [PATCH 3/8] Update deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Edu González de la Herrán <25320357+eedugon@users.noreply.github.com> --- .../manage-security-certificates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md b/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md index 05e4ab9d81..d231cae012 100644 --- a/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md +++ b/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md @@ -64,7 +64,7 @@ The PEM file should be structured like this: Each key and certificate would be generated by you or your IT team. ::::{note} -{{ece}} expects to have private key start with a header of `-----BEGIN RSA PRIVATE KEY-----`. If your private key starts with a different header, for example, `-----BEGIN PRIVATE KEY-----` (no `RSA`), you will get error: +{{ece}} requires the private key to begin with the header `-----BEGIN RSA PRIVATE KEY-----`. If your key instead starts with a different header, such as `-----BEGIN PRIVATE KEY-----` (without `RSA`), an error occurs: ```json { From 1ab4433de3765efd63187770c7d0d93800322e2b Mon Sep 17 00:00:00 2001 From: Kuni Sen <30574753+kunisen@users.noreply.github.com> Date: Tue, 2 Sep 2025 17:31:44 +0900 Subject: [PATCH 4/8] Update deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Edu González de la Herrán <25320357+eedugon@users.noreply.github.com> --- .../manage-security-certificates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md b/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md index d231cae012..48bb31e6b3 100644 --- a/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md +++ b/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md @@ -73,7 +73,7 @@ Each key and certificate would be generated by you or your IT team. } ``` -We recommend you to review your certificate generating tool related documentation for how to obtain the ECE expected hearder for your private key. For example, if you use OpenSSL to generate your private key, you can use `-traditional` option. +We recommend reviewing the documentation for your certificate generation tool to learn how to obtain the private key header expected by {{ece}}. For example, if you use OpenSSL, you can add the `-traditional` option when generating the key. :::: From a22c2e452fad31dbb4bcbfa14b29d97c0e9b5456 Mon Sep 17 00:00:00 2001 From: Kuni Sen Date: Thu, 18 Sep 2025 13:47:12 +0900 Subject: [PATCH 5/8] Update manage-security-certificates.md --- .../manage-security-certificates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md b/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md index 48bb31e6b3..cf90489780 100644 --- a/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md +++ b/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md @@ -17,7 +17,7 @@ In these instructions, we show you how you can download the security certificate You can change the certificates for the following ECE components separately: Cloud UI certificate -: Used to connect securely to the Cloud UI. +: Used to connect securely to the Cloud UI and to make RESTful API calls. Proxy certificate : Used to connect securely to {{es}} clusters and {{kib}}. You should use a wildcard certificate rooted at the [cluster endpoint that you set](../../deploy/cloud-enterprise/change-endpoint-urls.md) (`*.example.com`, for example). A wildcard certificate is required, because the first label of the DNS address is distinct for {{es}} clusters and {{kib}} (`bc898abb421843918ebc31a513169a.example.com`, for example). From be6e7653997f2b927f508bb6d9b53c6c3d877671 Mon Sep 17 00:00:00 2001 From: Kuni Sen Date: Mon, 22 Sep 2025 16:13:19 +0900 Subject: [PATCH 6/8] Update manage-security-certificates.md --- .../manage-security-certificates.md | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md b/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md index cf90489780..0d0b9e2c28 100644 --- a/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md +++ b/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md @@ -32,8 +32,7 @@ Proxy certificate After the certificates have been installed, connecting securely to {{es}}, {{kib}}, and the Cloud UI or making secure RESTful API calls to ECE should not result in any security warnings or errors. Adminconsole certificate -: Used to connect securely to make RESTful API calls. - +: This certificate facilitates a secure connection to an alternative API port, which can be used in rare scenarios where the UI is unavailable. We recommend reusing the UI certificate for this purpose. ## Before you begin [ece_before_you_begin_7] @@ -325,18 +324,7 @@ To add an Adminconsole certificate from the Cloud UI: To get the details of the certificate you added, select **Show certificate chain**. -To add an Adminconsole certificate from the command line: - -1. Add the certificate for the Adminconsole to your {{ece}} installation, where `CA_CERTIFICATE_FILENAME` is the name of the CA certificate you downloaded earlier and `ADMINCONSOLE_PEM_FILENAME` is the name of the concatenated file containing your RSA private key, server certificate, and CA certificate: - - ``` - curl --cacert CA_CERTIFICATE_FILENAME -H 'Content-Type: application/json' --data-binary @ADMINCONSOLE_PEM_FILENAME --user "admin:PASSWORD" "https://admin:12443/api/v1/platform/configuration/security/tls/adminconsole" - ``` - -2. Log out of the Cloud UI and log in again. -3. Verify that you are now using the new certificate chain. There should be no security warnings when you connect to the Cloud UI over HTTPS in your web browser. - - Alternatively, you can also check the certificate using the openssl command: +You can verify the new certificate chain by using the openssl command: ``` openssl s_client -CAfile CA_CERTIFICATE_FILENAME -showcerts -connect containerhost:12343 < /dev/zero From db6c3b1a6e41b8890f4b41d439bdec6079123fbd Mon Sep 17 00:00:00 2001 From: Kuni Sen <30574753+kunisen@users.noreply.github.com> Date: Thu, 25 Sep 2025 09:15:40 +0900 Subject: [PATCH 7/8] Update deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Edu González de la Herrán <25320357+eedugon@users.noreply.github.com> --- .../manage-security-certificates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md b/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md index 0d0b9e2c28..0a71e81258 100644 --- a/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md +++ b/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md @@ -32,7 +32,7 @@ Proxy certificate After the certificates have been installed, connecting securely to {{es}}, {{kib}}, and the Cloud UI or making secure RESTful API calls to ECE should not result in any security warnings or errors. Adminconsole certificate -: This certificate facilitates a secure connection to an alternative API port, which can be used in rare scenarios where the UI is unavailable. We recommend reusing the UI certificate for this purpose. +: This certificate facilitates a secure connection to an alternative API port, which can be used in rare scenarios where the UI is unavailable. We recommend using the same certificate as the one configured for the Cloud UI. ## Before you begin [ece_before_you_begin_7] From 872eaa9e0276efed6764ad7d205e471c74857807 Mon Sep 17 00:00:00 2001 From: Kuni Sen <30574753+kunisen@users.noreply.github.com> Date: Thu, 25 Sep 2025 09:16:19 +0900 Subject: [PATCH 8/8] Update deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Edu González de la Herrán <25320357+eedugon@users.noreply.github.com> --- .../manage-security-certificates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md b/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md index 0a71e81258..9c0a635353 100644 --- a/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md +++ b/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md @@ -72,7 +72,7 @@ Each key and certificate would be generated by you or your IT team. } ``` -We recommend reviewing the documentation for your certificate generation tool to learn how to obtain the private key header expected by {{ece}}. For example, if you use OpenSSL, you can add the `-traditional` option when generating the key. +Review the documentation for your certificate generation tool to determine how to obtain the private key header expected by {{ece}}. For example, with OpenSSL you can add the `-traditional` option when generating the key. ::::