Deprecate cert gen without a CA and add self-signed option #64037
Conversation
ywangd
added
>enhancement
:Security/Security
|
Pinging @elastic/es-security (:Security/Security) |
|
Does the example in this section of the SAML guide need to be updated to use a CA too?: https://www.elastic.co/guide/en/elasticsearch/reference/master/saml-guide-authentication.html#_generating_certificates_and_keys |
In SAML we don't use PKI but explicit trust of certificates so keeping the CA keys around is not necessary. This was actually one of the cases where the behavior we are now deprecating and removing was helpful and made sense. Instead of doing a 2 step process just for the sake of using |
|
Is it worth adding a |
Thakns for this info. For me, replacing it with openssl has a few downsides:
This is plausible when you need only a single cert. However, it could be problematic when creating multiple certificates. If users try to use it this for multiple nodes, it will at least cause confusion. We could forbid generating mulitple certs if So given the above information, I wonder whether we should re-evaluate our decision on this issue, i.e. whether we should disallow generating CA on the fly entirely? By disallowing it, two-step process is always required to generate CA and certs. Does it go against "easier security setup" idea that we try to uphold? Or will "security-on-by-default" provide a different solution to make this worry obsolete? PS: Another place we generate CA and certs together is for configuring TLS in docker. |
This sounds like a good idea to me.
I don't see this as a dependency, but merely as a suggestion as to how one can generate a keypair (more?) easily if openssl is available. We can have instructions with certutil (only|too), it's just two commands instead of one.
Making changes is not a downside in my opinion.
I don't think there is any problematic behavior wrt to key/certificate generation ( especially for certificates that are merely public key containers )
I think there is that much we can do to prevent misuse of the tools we create. In the same line of thinking, nothing prevents a user to generate a new CA and cert on each node if they are not familiar enough with PKI and certificates.
Can you explain your concern?
+1
I don't think we should re-evaluate. Security on by default would probably not replace our existing tooling with other solutions and I don't see this as making it more difficult for users to set up TLS. The SAML use case affects a fraction of our users since a) request signing is not enabled by default and b) response encryption is not commonly used. I think that a |
What I mean is that our docs talk about separate CA and cert in most places (if not all places). When configuring TLS, the examples have different values (files) for Based on the discussion, I think a new |
…ert-deprecate-no-ca
| @@ -505,11 +505,11 @@ support. Since PEM format is the most commonly supported format, the examples | |||
| below will generate certificates in that format. | |||
|
|
|||
| Using the <<certutil,`elasticsearch-certutil` tool>>, you can generate a | |||
| signing certificate with the following command: | |||
| self-signed certificate with the following command: | |||
There was a problem hiding this comment.
The most important characteristic is that this is a signing certificate (used to sign SAML messages), not that it is a self-signed one. I'd suggest we revert this change
.../plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateTool.java
Outdated
Show resolved
Hide resolved
| @@ -807,7 +819,8 @@ void generateAndWriteSignedCertificates(Path output, boolean writeZipFile, Optio | |||
| } else { | |||
| final String fileName = entryBase + ".p12"; | |||
| outputStream.putNextEntry(new ZipEntry(fileName)); | |||
| writePkcs12(fileName, outputStream, certificateInformation.name.originalName, pair, caInfo.certAndKey.cert, | |||
| writePkcs12(fileName, outputStream, certificateInformation.name.originalName, pair, | |||
There was a problem hiding this comment.
I also think we don't need to add a certificate entry too when we create a self-signed PKCS12, but did we check?
There was a problem hiding this comment.
This is a good point and it turns out the check is missing ...
I now augumented testCreateCaAndMultipleInstances to test p12 generation for self-signed cert.
There was a problem hiding this comment.
My point was actually about the construction of the PKCS#12 bundle and whether or not it suffices to add a private key entry with the key and certificate, or if we also need to add a trusted certificate entry with the certificate too. I believe we don't and other tooling ( keytool, openssl ) seem to agree too :)
| @@ -211,6 +217,9 @@ wish to password-protect your PEM keys, then do not specify | |||
| `--pem`:: Generates certificates and keys in PEM format instead of PKCS#12. This | |||
| parameter cannot be used with the `csr` parameter. | |||
|
|
|||
| `--self-signed`:: Generates self-signed certificates. This parameter is only | |||
| applicable to the `cert` parameter. | |||
There was a problem hiding this comment.
I have a concern, which might not be a big deal, that some people will see this option and use it in places where they shouldn't.
For all TLS scenarios, we recommend having a separation between the CA and the node cert, and I think we want to keep recommending that.
So, are there words we can put here that discourage people from using it for TLS?
There was a problem hiding this comment.
I added a note to state this option should be used with care.
| @@ -505,11 +505,11 @@ support. Since PEM format is the most commonly supported format, the examples | |||
| below will generate certificates in that format. | |||
|
|
|||
| Using the <<certutil,`elasticsearch-certutil` tool>>, you can generate a | |||
| signing certificate with the following command: | |||
| self-signed certificate with the following command: | |||
There was a problem hiding this comment.
I don't think this should change. It is a signing certificate, it just happens to also be self-signed.
There was a problem hiding this comment.
You are right. Ioannis said the same. It's reverted. Thanks.
| @@ -167,8 +167,9 @@ public static void main(String[] args) throws Exception { | |||
|
|
|||
| static final String CA_EXPLANATION = | |||
| " * All certificates generated by this tool will be signed by a certificate authority (CA).\n" + | |||
There was a problem hiding this comment.
This isn't strictly true anymore. Do we care?
There was a problem hiding this comment.
Ioannis has kindly offered suggestion and it should be accurate now.
Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>
.../plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateTool.java
Outdated
Show resolved
Hide resolved
| @@ -807,7 +819,8 @@ void generateAndWriteSignedCertificates(Path output, boolean writeZipFile, Optio | |||
| } else { | |||
| final String fileName = entryBase + ".p12"; | |||
| outputStream.putNextEntry(new ZipEntry(fileName)); | |||
| writePkcs12(fileName, outputStream, certificateInformation.name.originalName, pair, caInfo.certAndKey.cert, | |||
| writePkcs12(fileName, outputStream, certificateInformation.name.originalName, pair, | |||
There was a problem hiding this comment.
My point was actually about the construction of the PKCS#12 bundle and whether or not it suffices to add a private key entry with the key and certificate, or if we also need to add a trusted certificate entry with the certificate too. I believe we don't and other tooling ( keytool, openssl ) seem to agree too :)
…ck/security/cli/CertificateTool.java Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>
tvernum
changed the title
.../plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateTool.java
Outdated
Show resolved
Hide resolved
| All certificates that are generated by this command are signed by a CA unless | ||
| the `--self-signed` parameter is specified. You can provide your own CA with the | ||
| `--ca` or `--ca-cert` and `--ca-key` parameters. Otherwise, the command automatically generates a new CA for you. | ||
| deprecated:[7.11.0,"Generating certificates without specifying a CA certificate and key is deprecated. In the next major version you must provide a CA certificate unless the `--self-signed` option is specified."] |
There was a problem hiding this comment.
deprecated:[7.11.0,"Generating certificates without specifying a CA certificate and key is deprecated. In the next major version you must provide a CA certificate unless the
--self-signedoption is specified."]
I've combined this information into a single paragraph so that it's (hopefully) clearer what's deprecated.
…ck/security/cli/CertificateTool.java Co-authored-by: Lisa Cawley <lcawley@elastic.co>
| GenerateCertificateCommand() { | ||
| super("generate X.509 certificates and keys"); | ||
| acceptCertificateGenerationOptions(); | ||
| selfSigned = parser.accepts("self-signed", "generate self signed certificates (takes precedence over the ca options)"); |
There was a problem hiding this comment.
Why would this take precedence rather than being an error?
If a user enters
certutil cert --ca foo.p12 --self-signed
that's contradictory, and I would expect it to be an error, but it actually would generate a self signed cert, and ignore the CA. That seems wrong to me.
There was a problem hiding this comment.
Good catch, Thanks. I misunderstood the existing behaviour of --ca and --ca-cert. The two plus the new --self-signed should be mutually exclusive. It is now fixed.
.../plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateTool.java
Outdated
Show resolved
Hide resolved
…ck/security/cli/CertificateTool.java Co-authored-by: Tim Vernum <tim@adjective.org>
…ert-deprecate-no-ca
ywangd
changed the title
…4037) Generating a CA on the fly is an attempt at workflow optimisation that was inherited from certgen. There are potential pitfalls with this approach. Overall it is recommended to separate the step of CA creation and mandate a CA to be specified when generating certificate. This PR add a deprecation message if the cert command is used without specifying a CA. A follow up PR will throw error for this usage in 8.0. For use case where we explicitly trust a certificate without needing a CA, e.g. SAML message signing, the PR adds a --self-signed option to the cert sub-command to generate self-signed certificate.
…65575) Generating a CA on the fly is an attempt at workflow optimisation that was inherited from certgen. There are potential pitfalls with this approach. Overall it is recommended to separate the step of CA creation and mandate a CA to be specified when generating certificate. This PR add a deprecation message if the cert command is used without specifying a CA. A follow up PR will throw error for this usage in 8.0. For use case where we explicitly trust a certificate without needing a CA, e.g. SAML message signing, the PR adds a --self-signed option to the cert sub-command to generate self-signed certificate.
Generating a CA on the fly is an attempt at workflow optimisation that was inherited from certgen. There are potential pitfalls with this approach. Overall it is recommended to separate the step of CA creation and mandate a CA to be specified when generating certificate.
This PR add a deprecation message if the cert command is used without specifying a CA. A follow up PR will throw error for this usage in 8.0.
For use case where we explicitly trust a certificate without needing a CA, e.g. SAML message signing, the PR adds a
--self-signedoption to thecertsub-command to generate self-signed certificate.Relates: #61884