Commit 6ef315c4 authored by CI Runner's avatar CI Runner
Browse files

Mention PFX alongside with PKCS12

parent aa91c9b1
......@@ -18,7 +18,7 @@ Copryight 2017 floragunn GmbH
The Search Guard configuration, including users, roles and permissions, is stored in an index on the Elasticsearch cluster. This allows for hot configuration reloading, and eliminates the need to place configuration files on any node.
Configuration settings are loaded into the Search Guard configuration index using the `sgadmin` tool. `sgadmin` identifies itself against a Search Guard secured Elasticsearch cluster via an admin TLS certificate, either in `.pem` or `.jks` format.
Configuration settings are loaded into the Search Guard configuration index using the `sgadmin` tool. `sgadmin` identifies itself against a Search Guard secured Elasticsearch cluster via an admin TLS certificate, either in `.pem`, `.jks`, `.p12` or `.pfx` format.
If the Search Guard index is inititialized, you can also use the Kibana Configuration GUI to change users, roles and permissions. However, you need to run `sgadmin` at least once to initialize the index and configure the authentication and authorization methods you would like to use.
......@@ -126,11 +126,11 @@ Use the following options to control the key and truststore settings:
|---|---|
| -ks | The location of the keystore containing the admin certificate and all intermediate certificates, if any. You can use an absolute or relative path. Relative paths are resolved relative to the execution directory of sgadmin.|
| -kspass | The password for the keystore.|
| -kst | The key store type, either JKS or PKCS12. If not specified, Search Guard tries to deduct the type from the file extension.|
| -kst | The key store type, either JKS or PKCS12/PFX. If not specified, Search Guard tries to deduct the type from the file extension.|
| -ksalias | The alias of the admin certificate, if any.|
| -ts | The location of the truststore containing the root certificate. You can use an absolute or relative path. Relative paths are resolved relative to the execution directory of sgadmin.|
| -tspass | The password for the truststore.|
| -tst | The trust store type, either JKS or PKCS12. If not specified, Search Guard tries to deduct the type from the file extension.|
| -tst | The trust store type, either JKS or PKCS12/PFX. If not specified, Search Guard tries to deduct the type from the file extension.|
| -tsalias | The alias for the root certificate, if any.|
## Command line options
......
......@@ -27,7 +27,7 @@ When moving Search Guard to production you most likely want to use certificates
Search Guard supports certificates in the following formats:
* X509 PEM certificates and PKCS8 private keys
* Keystores and truststores in JKS or PKCS12 format
* Keystores and truststores in JKS or PKCS12/PFX format
## Types of certificates
......
......@@ -48,17 +48,17 @@ Use the following keys to configure the location of your PEM certificates and pr
| searchguard.ssl.http.pemtrustedcas_filepath | Path to the root CA(s) (PEM format), which must be under the config/ directory, specified using a relative path (mandatory) |
## Using Keystore and Truststore files
As an alternative to certificates and private keys in PEM format, you can also use keystore and truststore files in JKS or PKCS12 format. The following settings configure the location and password of your keystore and truststore files. You can use different keystore and truststore files for the REST and the transport layer if required.
As an alternative to certificates and private keys in PEM format, you can also use keystore and truststore files in JKS or PKCS12/PFX format. The following settings configure the location and password of your keystore and truststore files. You can use different keystore and truststore files for the REST and the transport layer if required.
### Transport layer TLS
| Name | Description |
|---|---|
| searchguard.ssl.transport.keystore\_type | The type of the keystore file, JKS or PKCS12 (Optional, default: JKS) |
| searchguard.ssl.transport.keystore\_type | The type of the keystore file, JKS or PKCS12/PFX (Optional, default: JKS) |
| searchguard.ssl.transport.keystore\_filepath | Path to the keystore file, which must be under the config/ directory, specified using a relative path (mandatory) |
| searchguard.ssl.transport.keystore\_alias: my\_alias | Alias name (optional, default: first alias which could be found) |
| searchguard.ssl.transport.keystore_password | Keystore password (default: changeit) |
| searchguard.ssl.transport.truststore_type | The type of the truststore file, JKS or PKCS12 (default: JKS) |
| searchguard.ssl.transport.truststore_type | The type of the truststore file, JKS or PKCS12/PFX (default: JKS) |
| searchguard.ssl.transport.truststore_filepath | Path to the truststore file, which must be under the config/ directory, specified using a relative path (mandatory) |
| searchguard.ssl.transport.truststore\_alias | Alias name (optional, default: all certificates) |
| searchguard.ssl.transport.truststore_password | Truststore password (default: changeit) |
......@@ -68,11 +68,11 @@ As an alternative to certificates and private keys in PEM format, you can also u
| Name | Description |
|---|---|
| searchguard.ssl.http.enabled | Whether to enable TLS on the REST layer or not. If enabled, only HTTPS is allowed. (Optional, default: false) |
| searchguard.ssl.http.keystore\_type | The type of the keystore file, JKS or PKCS12 (Optional, default: JKS) |
| searchguard.ssl.http.keystore\_type | The type of the keystore file, JKS or PKCS12/PFX (Optional, default: JKS) |
| searchguard.ssl.http.keystore\_filepath | Path to the keystore file, which must be under the config/ directory, specified using a relative path (mandatory) |
| searchguard.ssl.http.keystore\_alias | Alias name (optional, default: first alias which could be found) |
| searchguard.ssl.http.keystore_password | Keystore password (default: changeit) |
| searchguard.ssl.http.truststore_type | The type of the truststore file, JKS or PKCS12 (default: JKS) |
| searchguard.ssl.http.truststore_type | The type of the truststore file, JKS or PKCS12/PFX (default: JKS) |
| searchguard.ssl.http.truststore_filepath | Path to the truststore file, which must be under the config/ directory, specified using a relative path (mandatory) |
| searchguard.ssl.http.truststore\_alias | Alias name (optional, default: all certificates) |
| searchguard.ssl.http.truststore_password | Truststore password (default: changeit) |
......
......@@ -72,7 +72,7 @@ Java uses **keystores** and a **truststores** to store certificates and private
The **keystore** holds the private keys and the associated certificates. It is used to **provide credentials** to the communication partner.
Search Guard supports two key and truststore formats: JKS and PKCS12. In addition, certificates in PEM format are also supported since v12.
Search Guard supports two key and truststore formats: JKS and PKCS12/PFX. In addition, certificates in PEM format are also supported since v12.
In a typical Search Guard setup, each node in the cluster has both a keystore and a truststore. If a node wants to communicate with another node, it uses its own certificate stored in the keystore to identify itself.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment