in trying to complete my ROR install, I got a system cert from my CA. I converted the PEM (PKCS7) and imported it into the keystore.js file. in the kibana.yml file I set
server.ssl.enabled: true
server.ssl.certificate: /path/to/the/pem (inside Kibana config directory)
server.ssl.key: /path/to/the/key (also inside kibana config directory)
then when i go to start kibana i see the error
FATAL Error: digital envelope routines:FVP_DecryptFinal_ex:bad decrypt
googling it showed me this page: but my PEM file has the chain included in it.
server.ssl.enabled: true
server.ssl.certificate: "keystore.jks" # <-- a path relative to the folder where elasticsearch.yml is found (can also be an absolute path)
server.ssl.key: "somepassword" # <-- just a string, and it's optional
The most difficult part here is to get the jks part right. It must contain the whole certificate chain.
The good part is that this task is no different from creating a java key store for Tomcat, and this is generally something that at least one admin in the company is experienced in doing.
First it says that the key and certificate are required, so i put in the path to the key file.
Then it says it won’t read the keystore.jks saying it doesn’t have permissions. (worked before with self-signed). if I copy the jks into the kibana config folder and chown it to kibana. Now it’s tossing me other errors i’m going to try and track down.
I made sure this time to use the -ext option (docs say it’s optional) and made darn sure that the alias and the ext were exact. I didn’t use the keystore and it just installed it locally.
Then I saved the Key, the base64 Certificate, the PKCS7 version locally - converted the PKCS7 to PEM and set my Kibana to look for the crt, key and the pem.