[DOCS] Added SSL certificates API (elastic/x-pack-elasticsearch#3136)

Original commit: elastic/x-pack-elasticsearch@62cb574fcf
This commit is contained in:
Lisa Cawley 2018-01-17 08:14:02 -08:00 committed by GitHub
parent ef2d2764a5
commit a4fad02d9a
3 changed files with 118 additions and 4 deletions

View File

@ -19,6 +19,7 @@ buildRestTests.expectedUnconvertedCandidates = [
'en/ml/functions/time.asciidoc', 'en/ml/functions/time.asciidoc',
'en/ml/aggregations.asciidoc', 'en/ml/aggregations.asciidoc',
'en/ml/customurl.asciidoc', 'en/ml/customurl.asciidoc',
'en/rest-api/security/ssl.asciidoc',
'en/rest-api/security/users.asciidoc', 'en/rest-api/security/users.asciidoc',
'en/rest-api/security/tokens.asciidoc', 'en/rest-api/security/tokens.asciidoc',
'en/rest-api/watcher/put-watch.asciidoc', 'en/rest-api/watcher/put-watch.asciidoc',

View File

@ -4,17 +4,19 @@
* <<security-api-authenticate>> * <<security-api-authenticate>>
* <<security-api-clear-cache>> * <<security-api-clear-cache>>
* <<security-api-users>> * <<security-api-privileges>>
* <<security-api-roles>> * <<security-api-roles>>
* <<security-api-role-mapping>> * <<security-api-role-mapping>>
* <<security-api-privileges>> * <<security-api-ssl>>
* <<security-api-tokens>> * <<security-api-tokens>>
* <<security-api-users>>
include::security/authenticate.asciidoc[] include::security/authenticate.asciidoc[]
include::security/change-password.asciidoc[] include::security/change-password.asciidoc[]
include::security/clear-cache.asciidoc[] include::security/clear-cache.asciidoc[]
include::security/users.asciidoc[] include::security/privileges.asciidoc[]
include::security/roles.asciidoc[] include::security/roles.asciidoc[]
include::security/role-mapping.asciidoc[] include::security/role-mapping.asciidoc[]
include::security/privileges.asciidoc[] include::security/ssl.asciidoc[]
include::security/tokens.asciidoc[] include::security/tokens.asciidoc[]
include::security/users.asciidoc[]

View File

@ -0,0 +1,111 @@
[role="xpack"]
[[security-api-ssl]]
=== SSL Certificate API
The `certificates` API enables you to retrieve information about the X.509
certificates that are used to encrypt communications in your {es} cluster.
==== Request
`GET /_xpack/ssl/certificates`
==== Description
For more information about how certificates are configured in conjunction with
Transport Layer Security (TLS), see
{xpack-ref}/ssl-tls.html[Setting up SSL/TLS on a cluster].
The API returns a list that includes certificates from all TLS contexts
including:
* {xpack} default TLS settings
* Settings for transport and HTTP interfaces
* TLS settings that are used within authentication realms
* TLS settings for remote monitoring exporters
The list includes certificates that are used for configuring trust, such as
those configured in the `xpack.ssl.truststore` and
`xpack.ssl.certificate_authorities` settings. It also includes certificates that
that are used for configuring server identity, such as `xpack.ssl.keystore` and
`xpack.ssl.certificate` settings.
The list does not include certificates that are sourced from the default SSL
context of the Java Runtime Environment (JRE), even if those certificates are in
use within {xpack}.
If {xpack} is configured to use a keystore or truststore, the API output
includes all certificates in that store, even though some of the certificates
might not be in active use within the cluster.
==== Results
The response is an array of objects, with each object representing a
single certificate. The fields in each object are:
`path`:: (string) The path to the certificate, as configured in the
`elasticsearch.yml` file.
`format`:: (string) The format of the file. One of: `jks`, `PKCS12`, `PEM`.
`alias`:: (string) If the path refers to a container file (a jks keystore, or a
PKCS#12 file), the alias of the certificate. Otherwise, null.
`subject_dn`:: (string) The Distinguished Name of the certificate's subject.
`serial_number`:: (string) The hexadecimal representation of the certificate's
serial number.
`has_private_key`:: (boolean) If {xpack} has access to the private key for this
certificate, this field has a value of `true`.
`expiry`:: (string) The ISO formatted date of the certificate's expiry
(not-after) date.
==== Authorization
If {security} is enabled, you must have `monitor` cluster privileges to use this
API. For more information, see
{xpack-ref}/security-privileges.html[Security Privileges].
==== Examples
The following example provides information about the certificates on a single
node of {es}:
[source,js]
--------------------------------------------------
GET /_xpack/ssl/certificates
--------------------------------------------------
// CONSOLE
// TEST[skip:todo]
The API returns the following results:
[source,js]
----
[
{
"path": "certs/elastic-certificates.p12",
"format": "PKCS12",
"alias": "instance",
"subject_dn": "CN=Elastic Certificate Tool Autogenerated CA",
"serial_number": "a20f0ee901e8f69dc633ff633e5cd5437cdb4137",
"has_private_key": false,
"expiry": "2021-01-15T20:42:49.000Z"
},
{
"path": "certs/elastic-certificates.p12",
"format": "PKCS12",
"alias": "ca",
"subject_dn": "CN=Elastic Certificate Tool Autogenerated CA",
"serial_number": "a20f0ee901e8f69dc633ff633e5cd5437cdb4137",
"has_private_key": false,
"expiry": "2021-01-15T20:42:49.000Z"
},
{
"path": "certs/elastic-certificates.p12",
"format": "PKCS12",
"alias": "instance",
"subject_dn": "CN=instance",
"serial_number": "fc1905e1494dc5230218d079c47a617088f84ce0",
"has_private_key": true,
"expiry": "2021-01-15T20:44:32.000Z"
}
]
----