Skip to content

[Feature]: Optionally support mutual TLS between Kibana and Elasticsearch #486

Description

@afeefghannam89

Kibana currently authenticates to Elasticsearch with username/password over standard TLS
(the Elastic default). The role already generates a client certificate (<host>-kibana.p12)
via elasticsearch-certutil and copies it to /etc/kibana/certs, but it is never
referenced
in kibana.yml — so it is unused today.

Add opt-in mutual TLS (default: disabled):

  • New toggle (e.g. kibana_elasticsearch_mtls, default false).
  • When enabled, Kibana presents a client certificate. Support two sources:
    • Collection-generated (default): use the already-generated <host>-kibana.p12
      (signed by the shared CA). Gives today's unused certificate a purpose and fits the
      standard setup where Elasticsearch trusts the shared CA.
    • Bring your own: let the user point to their own client certificate/key
      (e.g. kibana_elasticsearch_cert / kibana_elasticsearch_key, or a keystore). Needed
      when Elasticsearch trusts a corporate/external CA instead of the collection's — the
      client cert must then be signed by that CA, so the generated one would be rejected.
    • Wire the chosen source into kibana.yml
      (elasticsearch.ssl.certificate/key or elasticsearch.ssl.keystore.path).
  • Document that Elasticsearch must request client certs
    (xpack.security.http.ssl.client_authentication: optional, typically with a PKI realm —
    Elastic recommends optional, not required).
  • When disabled (default): do not generate the client certificate — removing today's
    unused kibana.p12.

Default behaviour stays credential-based, so this is additive and non-breaking. The
bring-your-own path pairs with the own-CA trust from #483 (Kibana verifying Elasticsearch)
for a full corporate-PKI setup. Depends on #483.

Metadata

Metadata

Assignees

No one assigned

    Labels

    featureNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions