|
| 1 | +--- |
| 2 | +navigation_title: Considerations |
| 3 | +applies_to: |
| 4 | + deployment: |
| 5 | + self: |
| 6 | + eck: |
| 7 | +products: |
| 8 | + - id: elasticsearch |
| 9 | +navigation_title: External CA considerations |
| 10 | +--- |
| 11 | + |
| 12 | +# Considerations for using an external CA for transport layer security |
| 13 | + |
| 14 | +::::{important} |
| 15 | +Transport connections between {{es}} nodes are security-critical. Malicious actors who can observe, interfere with, or establish these connections may be able to read or modify cluster data through system-internal APIs. |
| 16 | +:::: |
| 17 | + |
| 18 | +## How mutual TLS protects transport connections |
| 19 | + |
| 20 | +By default, {{es}} uses mutual TLS (mTLS) for node-to-node transport connections. This ensures: |
| 21 | + |
| 22 | +- **Encryption**: Data is encrypted in transit for confidentiality and integrity |
| 23 | +- **Authentication**: Both nodes must present valid certificates when connecting |
| 24 | +- **Authorization**: Certificates must be issued by a trusted certificate authority |
| 25 | + |
| 26 | +Configure trusted certificate authorities using settings like `xpack.security.transport.ssl.certificate_authorities` or `xpack.security.transport.ssl.truststore.path`. |
| 27 | + |
| 28 | +## Certificate authority requirements |
| 29 | + |
| 30 | +::::{warning} |
| 31 | +Anyone with a certificate from a trusted CA can establish transport connections to your cluster and potentially access or modify data. |
| 32 | +:::: |
| 33 | + |
| 34 | +Use a dedicated private certificate authority for each {{es}} cluster. **Do not use**: |
| 35 | + |
| 36 | +- Public certificate authorities |
| 37 | +- Organization-wide private certificate authorities |
| 38 | +- CAs shared with other applications |
| 39 | + |
| 40 | +These broader CAs issue certificates to entities beyond your authorized {{es}} nodes, creating security risks. |
| 41 | + |
| 42 | +## Certificate requirements |
| 43 | + |
| 44 | +Transport certificates must either: |
| 45 | +- Have no Extended Key Usage (EKU) extension, or |
| 46 | +- Include both `clientAuth` and `serverAuth` in the EKU extension |
| 47 | + |
| 48 | +Public CAs typically omit `clientAuth`, making their certificates unsuitable for mTLS. |
| 49 | + |
| 50 | +## HTTP versus transport certificates |
| 51 | + |
| 52 | +**Do not use the same certificate for both HTTP and transport connections.** They have different security requirements: |
| 53 | + |
| 54 | +- **Transport certificates** (`xpack.security.transport.ssl.*`): Require mTLS and must include `clientAuth` in the EKU extension |
| 55 | +- **HTTP certificates** (`xpack.security.http.ssl.*`): Use HTTP authentication mechanisms and typically don't need `clientAuth` |
| 56 | + |
| 57 | +HTTP certificates can often come from public or organization-wide CAs, while transport certificates should always use a cluster-specific private CA. |
| 58 | + |
| 59 | +## Disabling mutual TLS |
| 60 | + |
| 61 | +If your environment prevents unauthorized node-to-node connections through other means, you can disable mTLS: |
| 62 | + |
| 63 | +```yaml |
| 64 | +xpack.security.transport.ssl.client_authentication: none |
| 65 | +``` |
| 66 | +
|
| 67 | +You can still use non-mutual TLS for encryption: |
| 68 | +
|
| 69 | +```yaml |
| 70 | +xpack.security.transport.ssl.enabled: true |
| 71 | +``` |
| 72 | +
|
| 73 | +::::{warning} |
| 74 | +Disabling mTLS allows anyone with network access to establish transport connections. Only do this if you're absolutely certain unauthorized network access cannot occur. |
| 75 | +:::: |
0 commit comments