[[pki-realm]]
=== PKI user authentication

You can configure {security} to use Public Key Infrastructure (PKI) certificates
to authenticate users in {es}. This requires clients to present X.509
certificates.

NOTE: You cannot use PKI certificates to authenticate users in {kib}.

To use PKI in {es}, you configure a PKI realm, enable client authentication on
the desired network layers (transport or http), and map the Distinguished Names
(DNs) from the user certificates to {security} roles in the
<<mapping-roles, role mapping file>>.

See {ref}/configuring-pki-realm.html[Configuring a PKI realm].

[[pki-settings]]
==== PKI Realm Settings

See {ref}/security-settings.html#ref-pki-settings[PKI realm settings].