Skip to content

Clarify adminconsole certs #2754

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 12 commits into from
Sep 25, 2025
Merged

Clarify adminconsole certs #2754

Changes from 1 commit
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
56dfb4f
Clarify adminconsole certs
kunisen Aug 29, 2025
4692d93
Update manage-security-certificates.md
kunisen Sep 2, 2025
4b07872
Update deploy-manage/security/secure-your-elastic-cloud-enterprise-in…
kunisen Sep 2, 2025
1ab4433
Update deploy-manage/security/secure-your-elastic-cloud-enterprise-in…
kunisen Sep 2, 2025
4d64968
Merge branch 'main' into kunisen-docpr-ghstl-1631
kunisen Sep 18, 2025
a22c2e4
Update manage-security-certificates.md
kunisen Sep 18, 2025
890e2a1
Merge branch 'kunisen-docpr-ghstl-1631' of https://github.com/elastic…
kunisen Sep 18, 2025
be6e765
Update manage-security-certificates.md
kunisen Sep 22, 2025
4f4dd11
Merge branch 'main' into kunisen-docpr-ghstl-1631
kunisen Sep 22, 2025
db6c3b1
Update deploy-manage/security/secure-your-elastic-cloud-enterprise-in…
kunisen Sep 25, 2025
872eaa9
Update deploy-manage/security/secure-your-elastic-cloud-enterprise-in…
kunisen Sep 25, 2025
4913426
Merge branch 'main' into kunisen-docpr-ghstl-1631
kunisen Sep 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions ...cure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,19 @@ The PEM file should be structured like this:

Each key and certificate would be generated by you or your IT team.

::::{note}
{{ece}} expects to have private key start with a header of `-----BEGIN RSA PRIVATE KEY-----`. If your private key starts with a different header, for example, `-----BEGIN PRIVATE KEY-----` (no `RSA`), you will get error:

```json
{
"code" : "cert.invalid_cert_chain",
"message" : "Certificate chain was invalid [Invalid Entry: expected unencrypted rsa private key (is start of file corrupted?)]"
}
```

We recommend you to review your certificate generating tool related documentation for how to obtain the ECE expected hearder for your private key. For example, if you use OpenSSL to generate your private key, you can use `-traditional` option.
::::


## Get existing ECE security certificates [ece-existing-security-certificates]

Expand Down Expand Up @@ -295,6 +308,36 @@ To add a proxy certificate from the command line:
openssl s_client -CAfile CA_CERTIFICATE_FILENAME -showcerts -connect HOSTNAME_OR_IP:9343 < /dev/zero
```

## Add an Adminconsole certificate [ece-tls-adminconsole]

::::{note}
In {{ece}}, this certificate is treated identically to the [Cloud UI certificate](#ece-tls-ui). You can use the same certificate bundle generated for Cloud UI.
::::

To add an Adminconsole certificate from the Cloud UI:

1. [Log into the Cloud UI](../../deploy/cloud-enterprise/log-into-cloud-ui.md).
2. From the **Platform** menu, select **Settings**.
3. Under **TLS settings** for the Adminconsole, choose **Upload new certificate** and select a concatenated file containing your RSA private key, server certificate, and CA certificate. Upload the selected file.

To get the details of the certificate you added, select **Show certificate chain**.

To add an Adminconsole certificate from the command line:

1. Add the certificate for the Adminconsole to your {{ece}} installation, where `CA_CERTIFICATE_FILENAME` is the name of the CA certificate you downloaded earlier and `ADMINCONSOLE_PEM_FILENAME` is the name of the concatenated file containing your RSA private key, server certificate, and CA certificate:

```
curl --cacert CA_CERTIFICATE_FILENAME -H 'Content-Type: application/json' --data-binary @ADMINCONSOLE_PEM_FILENAME --user "admin:PASSWORD" "https://admin:12443/api/v1/platform/configuration/security/tls/adminconsole"
```

2. Log out of the Cloud UI and log in again.
3. Verify that you are now using the new certificate chain. There should be no security warnings when you connect to the Cloud UI over HTTPS in your web browser.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this cert is for admin console and NOT for CloudUI, the verification should be through API rest calls, or?
What is the adminconsole certificate for exactly?

Step "3. Verify that you are now using the new certificate chain. There should be no security warnings when you connect to the Cloud UI over HTTPS in your web browser" looks not valid for this certificate verification.

^^ The previous is valid to validate the Cloud UI certificate, not adminconsole cert.

cc: @AlexP-Elastic

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIUC, this cert is only used for port 12343 (not 12443, which is used as cloud UI cert, and that cert handles both UI and API request). And this cert is only used when 12443 is not accessible, as diagnostic usage for API access. Details in my comment - #2754 (comment)

(I might be wrong - please correct me. I don't have the best wording. But I hope via this doc PR we could find a good wording solution for this and we could have fewer customer cases in the future :) )

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting, thanks for sharing.

I wouldn't remove then the text about API calls in cloudUI cert, as that cert is actually the one valid for the most common API calls made by our users (on port 12443).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @eedugon for being patient. I added back.
Could you check if this time it looks good from docs perspective please?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Personally I think I would remove steps 2 and 3 from To add an Adminconsole certificate from the command line: and leave the openssl as the only test option (nobody should be doing this anyway, no reason not add AC cert from the UI unless the UI is down - maybe we can add that)


Alternatively, you can also check the certificate using the openssl command:

```
openssl s_client -CAfile CA_CERTIFICATE_FILENAME -showcerts -connect containerhost:12343 < /dev/zero
```


## Limitations [ece-tls-limitations]
Expand Down
Loading