2018-01-17 11:14:02 -05:00
|
|
|
[role="xpack"]
|
|
|
|
[[security-api-ssl]]
|
2018-12-20 13:23:28 -05:00
|
|
|
=== SSL certificate API
|
|
|
|
++++
|
|
|
|
<titleabbrev>SSL certificate</titleabbrev>
|
|
|
|
++++
|
2018-01-17 11:14:02 -05:00
|
|
|
|
|
|
|
The `certificates` API enables you to retrieve information about the X.509
|
|
|
|
certificates that are used to encrypt communications in your {es} cluster.
|
|
|
|
|
2019-08-02 13:56:05 -04:00
|
|
|
[[security-api-ssl-request]]
|
|
|
|
==== {api-request-title}
|
2018-01-17 11:14:02 -05:00
|
|
|
|
2018-12-11 04:13:10 -05:00
|
|
|
`GET /_ssl/certificates`
|
2018-01-17 11:14:02 -05:00
|
|
|
|
|
|
|
|
2019-08-02 13:56:05 -04:00
|
|
|
[[security-api-ssl-prereqs]]
|
|
|
|
==== {api-prereq-title}
|
|
|
|
|
|
|
|
* If the {security-features} are enabled, you must have `monitor` cluster
|
|
|
|
privileges to use this API. For more information, see
|
|
|
|
{stack-ov}/security-privileges.html[Security privileges].
|
|
|
|
|
|
|
|
[[security-api-ssl-desc]]
|
|
|
|
==== {api-description-title}
|
2018-01-17 11:14:02 -05:00
|
|
|
|
|
|
|
For more information about how certificates are configured in conjunction with
|
|
|
|
Transport Layer Security (TLS), see
|
2018-12-19 17:53:37 -05:00
|
|
|
{stack-ov}/ssl-tls.html[Setting up SSL/TLS on a cluster].
|
2018-01-17 11:14:02 -05:00
|
|
|
|
|
|
|
The API returns a list that includes certificates from all TLS contexts
|
|
|
|
including:
|
|
|
|
|
|
|
|
* Settings for transport and HTTP interfaces
|
|
|
|
* TLS settings that are used within authentication realms
|
|
|
|
* TLS settings for remote monitoring exporters
|
|
|
|
|
|
|
|
The list includes certificates that are used for configuring trust, such as
|
2019-01-14 16:06:22 -05:00
|
|
|
those configured in the `xpack.security.transport.ssl.truststore` and
|
|
|
|
`xpack.security.transport.ssl.certificate_authorities` settings. It also
|
|
|
|
includes certificates that are used for configuring server identity, such as
|
|
|
|
`xpack.security.http.ssl.keystore` and
|
|
|
|
`xpack.security.http.ssl.certificate` settings.
|
2018-01-17 11:14:02 -05:00
|
|
|
|
|
|
|
The list does not include certificates that are sourced from the default SSL
|
|
|
|
context of the Java Runtime Environment (JRE), even if those certificates are in
|
2018-12-19 17:53:37 -05:00
|
|
|
use within {es}.
|
2018-01-17 11:14:02 -05:00
|
|
|
|
2018-10-04 03:51:58 -04:00
|
|
|
NOTE: When a PKCS#11 token is configured as the truststore of the JRE, the API
|
|
|
|
will return all the certificates that are included in the PKCS#11 token
|
|
|
|
irrespectively to whether these are used in the {es} TLS configuration or not.
|
|
|
|
|
2018-12-19 17:53:37 -05:00
|
|
|
If {es} is configured to use a keystore or truststore, the API output
|
2018-01-17 11:14:02 -05:00
|
|
|
includes all certificates in that store, even though some of the certificates
|
|
|
|
might not be in active use within the cluster.
|
|
|
|
|
2019-08-02 13:56:05 -04:00
|
|
|
[[security-api-ssl-response-body]]
|
|
|
|
==== {api-response-body-title}
|
2018-01-17 11:14:02 -05:00
|
|
|
|
|
|
|
The response is an array of objects, with each object representing a
|
|
|
|
single certificate. The fields in each object are:
|
|
|
|
|
|
|
|
`path`:: (string) The path to the certificate, as configured in the
|
|
|
|
`elasticsearch.yml` file.
|
|
|
|
`format`:: (string) The format of the file. One of: `jks`, `PKCS12`, `PEM`.
|
|
|
|
`alias`:: (string) If the path refers to a container file (a jks keystore, or a
|
|
|
|
PKCS#12 file), the alias of the certificate. Otherwise, null.
|
|
|
|
`subject_dn`:: (string) The Distinguished Name of the certificate's subject.
|
|
|
|
`serial_number`:: (string) The hexadecimal representation of the certificate's
|
|
|
|
serial number.
|
2018-12-19 17:53:37 -05:00
|
|
|
`has_private_key`:: (boolean) If {es} has access to the private key for this
|
2018-01-17 11:14:02 -05:00
|
|
|
certificate, this field has a value of `true`.
|
|
|
|
`expiry`:: (string) The ISO formatted date of the certificate's expiry
|
|
|
|
(not-after) date.
|
|
|
|
|
|
|
|
|
2019-08-02 13:56:05 -04:00
|
|
|
[[security-api-ssl-example]]
|
|
|
|
==== {api-examples-title}
|
2018-01-17 11:14:02 -05:00
|
|
|
|
|
|
|
The following example provides information about the certificates on a single
|
|
|
|
node of {es}:
|
|
|
|
|
|
|
|
[source,js]
|
|
|
|
--------------------------------------------------
|
2019-03-12 16:25:16 -04:00
|
|
|
GET /_ssl/certificates
|
2018-01-17 11:14:02 -05:00
|
|
|
--------------------------------------------------
|
|
|
|
// CONSOLE
|
2019-03-12 16:25:16 -04:00
|
|
|
// TEST
|
2018-01-17 11:14:02 -05:00
|
|
|
|
|
|
|
The API returns the following results:
|
2019-03-12 16:25:16 -04:00
|
|
|
|
2018-01-17 11:14:02 -05:00
|
|
|
[source,js]
|
|
|
|
----
|
|
|
|
[
|
|
|
|
{
|
|
|
|
"path": "certs/elastic-certificates.p12",
|
|
|
|
"format": "PKCS12",
|
|
|
|
"alias": "instance",
|
|
|
|
"subject_dn": "CN=Elastic Certificate Tool Autogenerated CA",
|
|
|
|
"serial_number": "a20f0ee901e8f69dc633ff633e5cd5437cdb4137",
|
|
|
|
"has_private_key": false,
|
|
|
|
"expiry": "2021-01-15T20:42:49.000Z"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"path": "certs/elastic-certificates.p12",
|
|
|
|
"format": "PKCS12",
|
|
|
|
"alias": "ca",
|
|
|
|
"subject_dn": "CN=Elastic Certificate Tool Autogenerated CA",
|
|
|
|
"serial_number": "a20f0ee901e8f69dc633ff633e5cd5437cdb4137",
|
|
|
|
"has_private_key": false,
|
|
|
|
"expiry": "2021-01-15T20:42:49.000Z"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"path": "certs/elastic-certificates.p12",
|
|
|
|
"format": "PKCS12",
|
|
|
|
"alias": "instance",
|
|
|
|
"subject_dn": "CN=instance",
|
|
|
|
"serial_number": "fc1905e1494dc5230218d079c47a617088f84ce0",
|
|
|
|
"has_private_key": true,
|
|
|
|
"expiry": "2021-01-15T20:44:32.000Z"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
----
|
2019-03-12 16:25:16 -04:00
|
|
|
// NOTCONSOLE
|