Kibana currently authenticates to Elasticsearch with username/password over standard TLS
(the Elastic default). The role already generates a client certificate (<host>-kibana.p12)
via elasticsearch-certutil and copies it to /etc/kibana/certs, but it is never
referenced in kibana.yml — so it is unused today.
Add opt-in mutual TLS (default: disabled):
- New toggle (e.g.
kibana_elasticsearch_mtls, default false).
- When enabled, Kibana presents a client certificate. Support two sources:
- Collection-generated (default): use the already-generated
<host>-kibana.p12
(signed by the shared CA). Gives today's unused certificate a purpose and fits the
standard setup where Elasticsearch trusts the shared CA.
- Bring your own: let the user point to their own client certificate/key
(e.g. kibana_elasticsearch_cert / kibana_elasticsearch_key, or a keystore). Needed
when Elasticsearch trusts a corporate/external CA instead of the collection's — the
client cert must then be signed by that CA, so the generated one would be rejected.
- Wire the chosen source into
kibana.yml
(elasticsearch.ssl.certificate/key or elasticsearch.ssl.keystore.path).
- Document that Elasticsearch must request client certs
(xpack.security.http.ssl.client_authentication: optional, typically with a PKI realm —
Elastic recommends optional, not required).
- When disabled (default): do not generate the client certificate — removing today's
unused kibana.p12.
Default behaviour stays credential-based, so this is additive and non-breaking. The
bring-your-own path pairs with the own-CA trust from #483 (Kibana verifying Elasticsearch)
for a full corporate-PKI setup. Depends on #483.
Kibana currently authenticates to Elasticsearch with username/password over standard TLS
(the Elastic default). The role already generates a client certificate (
<host>-kibana.p12)via
elasticsearch-certutiland copies it to/etc/kibana/certs, but it is neverreferenced in
kibana.yml— so it is unused today.Add opt-in mutual TLS (default: disabled):
kibana_elasticsearch_mtls, defaultfalse).<host>-kibana.p12(signed by the shared CA). Gives today's unused certificate a purpose and fits the
standard setup where Elasticsearch trusts the shared CA.
(e.g.
kibana_elasticsearch_cert/kibana_elasticsearch_key, or a keystore). Neededwhen Elasticsearch trusts a corporate/external CA instead of the collection's — the
client cert must then be signed by that CA, so the generated one would be rejected.
kibana.yml(
elasticsearch.ssl.certificate/keyorelasticsearch.ssl.keystore.path).(
xpack.security.http.ssl.client_authentication: optional, typically with a PKI realm —Elastic recommends
optional, notrequired).unused
kibana.p12.Default behaviour stays credential-based, so this is additive and non-breaking. The
bring-your-own path pairs with the own-CA trust from #483 (Kibana verifying Elasticsearch)
for a full corporate-PKI setup. Depends on #483.