-
Notifications
You must be signed in to change notification settings - Fork 24.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deprecate cert gen without a CA and add self-signed option #64037
Deprecate cert gen without a CA and add self-signed option #64037
Conversation
Pinging @elastic/es-security (:Security/Security) |
Does the example in this section of the SAML guide need to be updated to use a CA too?: https://www.elastic.co/guide/en/elasticsearch/reference/master/saml-guide-authentication.html#_generating_certificates_and_keys |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One comment, otherwise LGTM
In SAML we don't use PKI but explicit trust of certificates so keeping the CA keys around is not necessary. This was actually one of the cases where the behavior we are now deprecating and removing was helpful and made sense. Instead of doing a 2 step process just for the sake of using |
Is it worth adding a |
Thakns for this info. For me, replacing it with openssl has a few downsides:
This is plausible when you need only a single cert. However, it could be problematic when creating multiple certificates. If users try to use it this for multiple nodes, it will at least cause confusion. We could forbid generating mulitple certs if So given the above information, I wonder whether we should re-evaluate our decision on this issue, i.e. whether we should disallow generating CA on the fly entirely? By disallowing it, two-step process is always required to generate CA and certs. Does it go against "easier security setup" idea that we try to uphold? Or will "security-on-by-default" provide a different solution to make this worry obsolete? PS: Another place we generate CA and certs together is for configuring TLS in docker. |
This sounds like a good idea to me.
I don't see this as a dependency, but merely as a suggestion as to how one can generate a keypair (more?) easily if openssl is available. We can have instructions with certutil (only|too), it's just two commands instead of one.
Making changes is not a downside in my opinion.
I don't think there is any problematic behavior wrt to key/certificate generation ( especially for certificates that are merely public key containers )
I think there is that much we can do to prevent misuse of the tools we create. In the same line of thinking, nothing prevents a user to generate a new CA and cert on each node if they are not familiar enough with PKI and certificates.
Can you explain your concern?
+1
I don't think we should re-evaluate. Security on by default would probably not replace our existing tooling with other solutions and I don't see this as making it more difficult for users to set up TLS. The SAML use case affects a fraction of our users since a) request signing is not enabled by default and b) response encryption is not commonly used. I think that a |
What I mean is that our docs talk about separate CA and cert in most places (if not all places). When configuring TLS, the examples have different values (files) for Based on the discussion, I think a new |
…ert-deprecate-no-ca
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a few comments and suggestions. Can we also update the PR description to mention the self-signed option?
@@ -505,11 +505,11 @@ support. Since PEM format is the most commonly supported format, the examples | |||
below will generate certificates in that format. | |||
|
|||
Using the <<certutil,`elasticsearch-certutil` tool>>, you can generate a | |||
signing certificate with the following command: | |||
self-signed certificate with the following command: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The most important characteristic is that this is a signing
certificate (used to sign SAML messages), not that it is a self-signed
one. I'd suggest we revert this change
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right. Reverted.
.../plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateTool.java
Outdated
Show resolved
Hide resolved
@@ -807,7 +819,8 @@ void generateAndWriteSignedCertificates(Path output, boolean writeZipFile, Optio | |||
} else { | |||
final String fileName = entryBase + ".p12"; | |||
outputStream.putNextEntry(new ZipEntry(fileName)); | |||
writePkcs12(fileName, outputStream, certificateInformation.name.originalName, pair, caInfo.certAndKey.cert, | |||
writePkcs12(fileName, outputStream, certificateInformation.name.originalName, pair, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also think we don't need to add a certificate entry too when we create a self-signed PKCS12, but did we check?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a good point and it turns out the check is missing ...
I now augumented testCreateCaAndMultipleInstances
to test p12 generation for self-signed cert.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My point was actually about the construction of the PKCS#12 bundle and whether or not it suffices to add a private key entry with the key and certificate, or if we also need to add a trusted certificate entry with the certificate too. I believe we don't and other tooling ( keytool, openssl ) seem to agree too :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, It looks like I had these comments pending for a week or so & didn't submit them...
@@ -211,6 +217,9 @@ wish to password-protect your PEM keys, then do not specify | |||
`--pem`:: Generates certificates and keys in PEM format instead of PKCS#12. This | |||
parameter cannot be used with the `csr` parameter. | |||
|
|||
`--self-signed`:: Generates self-signed certificates. This parameter is only | |||
applicable to the `cert` parameter. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have a concern, which might not be a big deal, that some people will see this option and use it in places where they shouldn't.
For all TLS scenarios, we recommend having a separation between the CA and the node cert, and I think we want to keep recommending that.
So, are there words we can put here that discourage people from using it for TLS?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added a note to state this option should be used with care.
@@ -505,11 +505,11 @@ support. Since PEM format is the most commonly supported format, the examples | |||
below will generate certificates in that format. | |||
|
|||
Using the <<certutil,`elasticsearch-certutil` tool>>, you can generate a | |||
signing certificate with the following command: | |||
self-signed certificate with the following command: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this should change. It is a signing certificate, it just happens to also be self-signed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right. Ioannis said the same. It's reverted. Thanks.
@@ -167,8 +167,9 @@ public static void main(String[] args) throws Exception { | |||
|
|||
static final String CA_EXPLANATION = | |||
" * All certificates generated by this tool will be signed by a certificate authority (CA).\n" + |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This isn't strictly true anymore. Do we care?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ioannis has kindly offered suggestion and it should be accurate now.
Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, I'll defer more scrutiny of the wording changes to Lisa and Tim
.../plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateTool.java
Outdated
Show resolved
Hide resolved
@@ -807,7 +819,8 @@ void generateAndWriteSignedCertificates(Path output, boolean writeZipFile, Optio | |||
} else { | |||
final String fileName = entryBase + ".p12"; | |||
outputStream.putNextEntry(new ZipEntry(fileName)); | |||
writePkcs12(fileName, outputStream, certificateInformation.name.originalName, pair, caInfo.certAndKey.cert, | |||
writePkcs12(fileName, outputStream, certificateInformation.name.originalName, pair, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My point was actually about the construction of the PKCS#12 bundle and whether or not it suffices to add a private key entry with the key and certificate, or if we also need to add a trusted certificate entry with the certificate too. I believe we don't and other tooling ( keytool, openssl ) seem to agree too :)
…ck/security/cli/CertificateTool.java Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>
.../plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateTool.java
Outdated
Show resolved
Hide resolved
All certificates that are generated by this command are signed by a CA unless | ||
the `--self-signed` parameter is specified. You can provide your own CA with the | ||
`--ca` or `--ca-cert` and `--ca-key` parameters. Otherwise, the command automatically generates a new CA for you. | ||
deprecated:[7.11.0,"Generating certificates without specifying a CA certificate and key is deprecated. In the next major version you must provide a CA certificate unless the `--self-signed` option is specified."] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
deprecated:[7.11.0,"Generating certificates without specifying a CA certificate and key is deprecated. In the next major version you must provide a CA certificate unless the
--self-signed
option is specified."]
I've combined this information into a single paragraph so that it's (hopefully) clearer what's deprecated.
…ck/security/cli/CertificateTool.java Co-authored-by: Lisa Cawley <lcawley@elastic.co>
GenerateCertificateCommand() { | ||
super("generate X.509 certificates and keys"); | ||
acceptCertificateGenerationOptions(); | ||
selfSigned = parser.accepts("self-signed", "generate self signed certificates (takes precedence over the ca options)"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why would this take precedence rather than being an error?
If a user enters
certutil cert --ca foo.p12 --self-signed
that's contradictory, and I would expect it to be an error, but it actually would generate a self signed cert, and ignore the CA. That seems wrong to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch, Thanks. I misunderstood the existing behaviour of --ca
and --ca-cert
. The two plus the new --self-signed
should be mutually exclusive. It is now fixed.
.../plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateTool.java
Outdated
Show resolved
Hide resolved
…ck/security/cli/CertificateTool.java Co-authored-by: Tim Vernum <tim@adjective.org>
…ert-deprecate-no-ca
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
…4037) Generating a CA on the fly is an attempt at workflow optimisation that was inherited from certgen. There are potential pitfalls with this approach. Overall it is recommended to separate the step of CA creation and mandate a CA to be specified when generating certificate. This PR add a deprecation message if the cert command is used without specifying a CA. A follow up PR will throw error for this usage in 8.0. For use case where we explicitly trust a certificate without needing a CA, e.g. SAML message signing, the PR adds a --self-signed option to the cert sub-command to generate self-signed certificate.
…65575) Generating a CA on the fly is an attempt at workflow optimisation that was inherited from certgen. There are potential pitfalls with this approach. Overall it is recommended to separate the step of CA creation and mandate a CA to be specified when generating certificate. This PR add a deprecation message if the cert command is used without specifying a CA. A follow up PR will throw error for this usage in 8.0. For use case where we explicitly trust a certificate without needing a CA, e.g. SAML message signing, the PR adds a --self-signed option to the cert sub-command to generate self-signed certificate.
Generating a CA on the fly is an attempt at workflow optimisation that was inherited from certgen. There are potential pitfalls with this approach. Overall it is recommended to separate the step of CA creation and mandate a CA to be specified when generating certificate.
This PR add a deprecation message if the cert command is used without specifying a CA. A follow up PR will throw error for this usage in 8.0.
For use case where we explicitly trust a certificate without needing a CA, e.g. SAML message signing, the PR adds a
--self-signed
option to thecert
sub-command to generate self-signed certificate.Relates: #61884