Clarify ECE doc about wildcard DNS certificate #3513
Conversation
kunisen
requested review from
AlexP-Elastic,
dtuck9,
eedugon and
maggieghamry
|
Hi @eedugon @AlexP-Elastic @dtuck9 @maggieghamry I requested your kind review from doc, dev and support perspective. |
kunisen
added
documentation
🔍 Preview links for changed docs |
eedugon
left a comment
eedugon
left a comment
There was a problem hiding this comment.
Awesome improvements in my opinion.
Really worthy.
In some way I think we shouldn't even mention (or support) the possibility of certificates with static SAN entries, but I'm ok with this text.
deploy-manage/deploy/cloud-enterprise/enable-custom-endpoint-aliases.md
Outdated
Show resolved
Hide resolved
...e/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md
Outdated
Show resolved
Hide resolved
deploy-manage/deploy/cloud-enterprise/enable-custom-endpoint-aliases.md
Outdated
Show resolved
Hide resolved
Co-authored-by: Edu González de la Herrán <[email protected]>
Co-authored-by: Edu González de la Herrán <[email protected]>
Co-authored-by: Edu González de la Herrán <[email protected]>
Co-authored-by: Edu González de la Herrán <[email protected]>
Co-authored-by: Edu González de la Herrán <[email protected]>
Co-authored-by: Edu González de la Herrán <[email protected]>
…stallation/manage-security-certificates.md Co-authored-by: Edu González de la Herrán <[email protected]>
…liases.md Co-authored-by: Edu González de la Herrán <[email protected]>
AlexP-Elastic
left a comment
AlexP-Elastic
left a comment
There was a problem hiding this comment.
Looks fine to me, had a few minor comments but nothing blocking
|
|
||
| For this reason, using a wildcard DNS certificate is recommended over a certificate with static SAN entries, as it provides a more scalable, performant, and operationally safe solution. | ||
|
|
||
| ### Operational cost perspective |
There was a problem hiding this comment.
Do we really need 3 sections here to expand on the sentence above?
Who are you trying to convince - pretty sure everyone who is allowed to use a wildcard cert will do so :)
I think I'd probably just add
a static SAN certificate requires reissuing the certificate whenever a new deployment is created and updating the SAN list for all clusters and applications (Elasticsearch, Kibana, etc.), which increases operational overhead.
and
We suggest configuring your wildcard DNS certificate as a subdomain (e.g.,
*.ece.mycompany.com). Doing so significantly reduces security risks associated with certificate misconfigurations.
to the section above
I don't feel super strongly about this though
There was a problem hiding this comment.
Thank you @AlexP-Elastic!
The request comes from past cases from customers and the discussion with @eedugon that we felt it doesn't harm to make it super clear that "why in specific do we highly recommend wildcard DNS certs". We had multiple customers / users asking details about security risk, operational cost related questions, and Edu shared the insights about the performance considerations too, which eventually and logically it split into 3 sections.
I will leave this to @eedugon and @maggieghamry to make the decision :) If they could help confirm that the simplified content is easily and visibly understandable enough for customers, then I am perfectly fine with we remove the headings and describe the context in one paragraph.
@eedugon @maggieghamry please help provide your kind insights on this 🙏 and thanks again!
|
@kunisen , I think there's a middle point, as in some way we don't need to highlight all this that much with a big H2 section and 3 x H3. On Monday I will quickly prepare a proposal through a
I agree the 3 big sub-sections at the end don't add value and it makes the doc scope to not be totally clear. |
|
Hi @eedugon may I trouble you to take a look at this when you have time please? thank you! 🙏 |
eedugon
left a comment
eedugon
left a comment
There was a problem hiding this comment.
LGTM, I've suggested a change in the comparison between wildcard certs and static SAN entries certs.
Co-authored-by: Edu González de la Herrán <[email protected]>
Co-authored-by: Edu González de la Herrán <[email protected]>
## Description This doc PR is to address [this internal ticket](elastic/support-tech-lead#1660). Change detail: [this comment](elastic/support-tech-lead#1660 (comment)). ## Preview before PR merge - [deploy-manage/deploy/cloud-enterprise/change-endpoint-urls.md](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/3513/deploy-manage/deploy/cloud-enterprise/change-endpoint-urls) - [deploy-manage/deploy/cloud-enterprise/ece-wildcard-dns.md](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/3513/deploy-manage/deploy/cloud-enterprise/ece-wildcard-dns) - [deploy-manage/deploy/cloud-enterprise/enable-custom-endpoint-aliases.md](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/3513/deploy-manage/deploy/cloud-enterprise/enable-custom-endpoint-aliases) - [deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates.md](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/3513/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates) ## Preview after PR merge * https://www.elastic.co/docs/deploy-manage/deploy/cloud-enterprise/ece-wildcard-dns * https://www.elastic.co/docs/deploy-manage/deploy/cloud-enterprise/change-endpoint-urls * https://www.elastic.co/docs/deploy-manage/deploy/cloud-enterprise/enable-custom-endpoint-aliases * https://www.elastic.co/docs/deploy-manage/security/secure-your-elastic-cloud-enterprise-installation/manage-security-certificates --------- Co-authored-by: Edu González de la Herrán <[email protected]>
Description
This doc PR is to address this internal ticket. Change detail: this comment.
Preview before PR merge
Preview after PR merge