diff --git a/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md b/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md index 52318315ee..9c0a635353 100644 --- a/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md +++ b/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md @@ -31,6 +31,8 @@ Proxy certificate After the certificates have been installed, connecting securely to {{es}}, {{kib}}, and the Cloud UI or making secure RESTful API calls to ECE should not result in any security warnings or errors. +Adminconsole certificate +: This certificate facilitates a secure connection to an alternative API port, which can be used in rare scenarios where the UI is unavailable. We recommend using the same certificate as the one configured for the Cloud UI. ## Before you begin [ece_before_you_begin_7] @@ -60,6 +62,19 @@ The PEM file should be structured like this: Each key and certificate would be generated by you or your IT team. +::::{note} +{{ece}} requires the private key to begin with the header `-----BEGIN RSA PRIVATE KEY-----`. If your key instead starts with a different header, such as `-----BEGIN PRIVATE KEY-----` (without `RSA`), an error occurs: + +```json +{ + "code" : "cert.invalid_cert_chain", + "message" : "Certificate chain was invalid [Invalid Entry: expected unencrypted rsa private key (is start of file corrupted?)]" +} +``` + +Review the documentation for your certificate generation tool to determine how to obtain the private key header expected by {{ece}}. For example, with OpenSSL you can add the `-traditional` option when generating the key. +:::: + ## Get existing ECE security certificates [ece-existing-security-certificates] @@ -295,6 +310,25 @@ To add a proxy certificate from the command line: openssl s_client -CAfile CA_CERTIFICATE_FILENAME -showcerts -connect HOSTNAME_OR_IP:9343 < /dev/zero ``` +## Add an Adminconsole certificate [ece-tls-adminconsole] + +::::{note} +In {{ece}}, this certificate is treated identically to the [Cloud UI certificate](#ece-tls-ui). You can use the same certificate bundle generated for Cloud UI. +:::: + +To add an Adminconsole certificate from the Cloud UI: + +1. [Log into the Cloud UI](../../deploy/cloud-enterprise/log-into-cloud-ui.md). +2. From the **Platform** menu, select **Settings**. +3. Under **TLS settings** for the Adminconsole, choose **Upload new certificate** and select a concatenated file containing your RSA private key, server certificate, and CA certificate. Upload the selected file. + +To get the details of the certificate you added, select **Show certificate chain**. + +You can verify the new certificate chain by using the openssl command: + + ``` + openssl s_client -CAfile CA_CERTIFICATE_FILENAME -showcerts -connect containerhost:12343 < /dev/zero + ``` ## Limitations [ece-tls-limitations]