Custom certificates in distributed model

[rjdub2]

Version

2.4.3

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

4

RAM

12GB

Storage for /

200GB

Storage for /nsm

200GB

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I feel like I'm missing some high level concept trying to get our grid nodes to communicate with custom certificates. We are working to set up a distributed architecture and currently have 1 search, 1 manager, and 1 fleet server/forward node. All were installed from the ISO and are currently set up and working without an issue.

Before enrolling some agents to link up with the fleet server node, I was trying to get the fleet server node to respond with a certificate issued from our CA specifically for the fleet server. All systems we will install the agent on will already trust certs from our CA, but the fleet server was set up with a certificate that appears to be signed by the manager. I've also noticed all of the other nodes are communicating with certs signed by the manager and will need to update them to us certs from our CA.

Specifically looking at the documentation for an elastic fleet server on the Security Onion and Elastic sites do not seem applicable because the ISO sets up the elastic agent in a docker container that does not allow changes and reverts any changes to the container when it is restarted. This prevents me from adjusting any of the elastic agent configuration to point to certs we generated for the fleet server.

At a higher level, it seems like having to manage custom certificates on each node as this grows would be a bit of a challenge and there is either a way to have the manager distribute certs automatically or perhaps people aren't using custom certs?

So my questions are:
1.) Am I on the right track and just need to be told how to set up each node with a custom cert or am I going about this wrong?

2.) If I am on the right track, how do we get fleet server nodes to use custom certs if we cannot persist changes to the docker container's file system?

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[rjdub2]

We have found there is already a bind mount for the docker container to a server certificate in /etc/pki and we cannot add a bind mount in the SOC otherwise you will get a duplicate bind mount error on start of the container. When we replace the certificate outside the container and restart the container to load with the cert from our CA, something overwrites the cert outside the container with a new self-signed cert.

It seems like replacing this certificate outside the container on the fleet server is what we are supposed to do, but how do we prevent the certificate from being overwritten when the fleet service starts? We are using so-elastic-fleet-start to start the service after replacing the cert.

[TOoSmOotH]

Currently we only support custom certificates for the web interface. This would need to be added. Is there a reason why you need to use your own CA for the agent auth/encryption? This is not exposed to the user as it is included in the agent install package.

If you were to somehow make this work you would need to recreate the agent install binaries and then reinstall them on all nodes in the grid as well as your endpoints.

[rjdub2]

We haven't gotten to the part of installing the agent yet. Are you are saying that the agent binaries will automatically trust the self-signed certificates on the fleet servers when installed on a client? If so will they continue to trust the certificates when they are reissued?

[defensivedepth]

The only custom cert you may want to swap out is the web interface cert (https://docs.securityonion.net/en/2.4/nginx.html?replacing-default-cert#replacing-default-cert)

Other certs should not need to be changed. For the Elastic Agent - the SO Grid CA crt is bundled with the Agents - so as long as the Grid CA doesn't change, it won't be a problem as certs on the Fleet Node etc change.