diff --git a/x-pack/docs/en/security/securing-communications/node-certificates.asciidoc b/x-pack/docs/en/security/securing-communications/node-certificates.asciidoc index 604355e21bf17..44ef8278fb968 100644 --- a/x-pack/docs/en/security/securing-communications/node-certificates.asciidoc +++ b/x-pack/docs/en/security/securing-communications/node-certificates.asciidoc @@ -4,7 +4,7 @@ TLS requires X.509 certificates to perform encryption and authentication of the application that is being communicated with. In order for the communication between nodes to be truly secure, the certificates must be validated. The -recommended approach for validating certificate authenticity in a {es} cluster +recommended approach for validating certificate authenticity in an {es} cluster is to trust the certificate authority (CA) that signed the certificate. By doing this, as nodes are added to your cluster they just need to use a certificate signed by the same CA and the node is automatically allowed to join the cluster. diff --git a/x-pack/docs/en/security/securing-communications/tls-transport.asciidoc b/x-pack/docs/en/security/securing-communications/tls-transport.asciidoc index 2e20a20f907ef..c186aebbe2433 100644 --- a/x-pack/docs/en/security/securing-communications/tls-transport.asciidoc +++ b/x-pack/docs/en/security/securing-communications/tls-transport.asciidoc @@ -30,9 +30,13 @@ See <> for a description of the <2> If you created a separate certificate for each node, then you might need to customize this path on each node. If the filename matches the node name, you can use the `certs/${node.name}.p12` format, for example. -<3> The `elasticsearch-certutil` output includes the CA certificate inside the -PKCS#12 keystore, therefore the keystore can also be used as the truststore. -This name should match the `keystore.path` value. +<3> The `elasticsearch-certutil` outputs a PKCS#12 keystore which includes the +CA certificate as a trusted certificate entry. This allows for the keystore to +also be used as a truststore. In this case, the path value should match +the `keystore.path` value. +Note, however, that this is not the general rule. There are keystores that cannot be +used as trustores, only +{ref}/security-settings.html#pkcs12-truststore-note[specifically crafted ones can] -- ** If the certificate is in PEM format, add the following information to the diff --git a/x-pack/docs/en/settings/security-settings.asciidoc b/x-pack/docs/en/settings/security-settings.asciidoc index 587cbb7941755..a98bca676152d 100644 --- a/x-pack/docs/en/settings/security-settings.asciidoc +++ b/x-pack/docs/en/settings/security-settings.asciidoc @@ -1225,6 +1225,19 @@ Password to the truststore. `xpack.ssl.truststore.secure_password` (<>):: Password to the truststore. +[[pkcs12-truststore-note]] +[NOTE] +Storing trusted certificates in a PKCS#12 file, although supported, is +uncommon in practice. The {ref}/certutil.html[`elasticsearch-certutil`] tool, +as well as Java's `keytool`, are designed to generate PKCS#12 files that +can be used both as a keystore and as a truststore, but this may not be the +case for container files that are created using other tools. Usually, +PKCS#12 files only contain secret and private entries. To confirm that +a PKCS#12 container includes trusted certificate ("anchor") entries look for +`2.16.840.1.113894.746875.1.1: ` in the +`openssl pkcs12 -info` output, or `trustedCertEntry` in the +`keytool -list` output. + [[http-tls-ssl-settings]] :ssl-prefix: xpack.security.http :component: HTTP