Clarify adminconsole certs

[kunisen]

Description

To address issue: #2747

Two main edits:

• To generate RSA private key, it needs to have -----BEGIN RSA PRIVATE KEY----- (openssl with -traditional option but not default one) and must not be -----BEGIN PRIVATE KEY-----, otherwise user will get cert.invalid_cert_chain error.
  • (I discussed this with @geekpete and @mailahmeduk for quite in-depth about how to get around of this issue so I'd like to explicitly call this out)
• Add the doc part for Adminconsole cert added in ECE 3.8 (maybe @eedugon I need to raise issue in our internal cloud repo and back port it to 3.8?)

Reviewers

• Requested @AlexP-Elastic or @beiske for your review as you are the reporter of this adminconsole cert issue internally (this and this)
• Also, docs team, please help review from docs perspective 🙏

Preview

• Before PR merge: deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md
• After PR merge: https://www.elastic.co/docs/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates

---

Thank you!

[github-actions]

🔍 Preview links for changed docs

• deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md

[eedugon]

@kunisen : the introduction section of the doc needs to identify and explain also the adminconsole certificate.

[eedugon]

Now that we have a specific cert for adminconsole.... is this text still valid in the Cloud UI certificate section?

Could anyone explain what exactly is adminconsole certificate for? We need to explain the difference between CloudUI and adminconsole certificates properly in the documentation if users need to take care of both.

What HTTP endpoint is secured by the CloudUI cert and what HTTP endpoint is secured by the adminconsole cert?

cc: @Kushmaro

[kunisen]

Thank you @eedugon! I missed that part and now added the note.

[1]

Based on the internal sync from @beiske and @AlexP-Elastic, my understanding is:

• Cloud UI cert can handle request via 12443 port, which covers both UI and API (we can hit 12443 port via RESTful API)
• Adminconsole cert only handles request via 12343 port, which is dedicated for API (in case when UI is down)

But if we say

• Cloud UI cert handles both UI and API
• Adminconsole cert handles API only
• Adminconsole cert is rarely used
• You can use same cert for Cloud UI cert to be Adminconsole cert

Then it will only cause confusion.
=> Based on that, I removed and to make RESTful API calls. from Cloud UI cert description.

[2]

I don't know if this is the best choice. @beiske @AlexP-Elastic and @eedugon please help comment on this.

Why we have to have this doc PR?
=> It's because the Adminconsole cert UI was implemented and it expires and causes customer cases ...
==> Why we have to implement that Adminconsole UI? It was because we want to let user manage this and we want to let user just reuse their Cloud UI cert.

[eedugon]

Some comments added, we need to update the intro to show also the new cert and we need to ensure we explain properly what is the adminconsole certificate for, and what exact HTTP endpoint / URLs is securing.

[eedugon]

If this cert is for admin console and NOT for CloudUI, the verification should be through API rest calls, or?
What is the adminconsole certificate for exactly?

Step "3. Verify that you are now using the new certificate chain. There should be no security warnings when you connect to the Cloud UI over HTTPS in your web browser" looks not valid for this certificate verification.

^^ The previous is valid to validate the Cloud UI certificate, not adminconsole cert.

cc: @AlexP-Elastic

[kunisen]

IIUC, this cert is only used for port 12343 (not 12443, which is used as cloud UI cert, and that cert handles both UI and API request). And this cert is only used when 12443 is not accessible, as diagnostic usage for API access. Details in my comment - #2754 (comment)

(I might be wrong - please correct me. I don't have the best wording. But I hope via this doc PR we could find a good wording solution for this and we could have fewer customer cases in the future :) )

[eedugon]

Interesting, thanks for sharing.

I wouldn't remove then the text about API calls in cloudUI cert, as that cert is actually the one valid for the most common API calls made by our users (on port 12443).

[kunisen]

Thanks @eedugon for being patient. I added back.
Could you check if this time it looks good from docs perspective please?

[AlexP-Elastic]

Personally I think I would remove steps 2 and 3 from To add an Adminconsole certificate from the command line: and leave the openssl as the only test option (nobody should be doing this anyway, no reason not add AC cert from the UI unless the UI is down - maybe we can add that)

[kunisen]

HI @AlexP-Elastic @beiske could you kindly review this doc PR so that we could sort this out.
We have @fdartayre got customer case and documented that in KB - https://support.elastic.co/knowledge/d388fd18 (another occurrence) where having this doc PR published could help make things clear.

Thank you!

[AlexP-Elastic]

I think we need to be clearer that the Adminconsole cert does not support standard use, it's a fallback port only

[AlexP-Elastic]

I don't think this is right

The Cloud UI certificate is for API and UI calls

The Adminconsole certificate allow secure connection to an alternative API port that can be used in incidents scenario where the UI is down (very rare). We recommend re-using the UI certificate for this.

[kunisen]

Thank you @AlexP-Elastic

Updated with the suggestion:

- :   Used to connect securely to make RESTful API calls.

+ :   This certificate facilitates a secure connection to an alternative API port, which can be used in rare scenarios where the UI is unavailable. We recommend reusing the UI certificate for this purpose.

[kunisen]

Also @AlexP-Elastic I made the change according based on your 2nd comment - #2754 (comment) too:

(Hard to copy things out and mostly the screenshots is visibly evident enough...)

[AlexP-Elastic]

Personally I think I would remove steps 2 and 3 from To add an Adminconsole certificate from the command line: and leave the openssl as the only test option (nobody should be doing this anyway, no reason not add AC cert from the UI unless the UI is down - maybe we can add that)

[kunisen]

Thanks @AlexP-Elastic for your suggestion.

I made the corresponding updates based on #2754 (comment) and #2754 (comment). Could you kindly help review again please?

[eedugon]

Looks great! Just added a minor wording suggestions.

[kunisen]

Thank you @eedugon and @AlexP-Elastic again!

We will have less SDHs in the future 😄