Move own CA transport layer mtls guidance to security docs #3932
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -20,15 +20,17 @@ This page explains the requirements and best practices to ensure that certificat | |
| Transport connections between {{es}} nodes are security-critical and you must protect them carefully. Malicious actors who can observe or interfere with unencrypted node-to-node transport traffic can read or modify cluster data. A malicious actor who can establish a transport connection might be able to invoke system-internal APIs, including APIs that read or modify cluster data. | ||
| :::: | ||
|
|
||
| ## Transport mTLS certificate requirements for external CAs | ||
|
|
||
| Obtain your transport certificates from a certificate authority that only issues certificates to {{es}} nodes permitted to connect to your cluster. Do not use a public certificate authority or an organization-wide private certificate authority, because these issue certificates to entities beyond your authorized cluster nodes. Use a dedicated private certificate authority for each {{es}} cluster. | ||
|
Contributor
There was a problem hiding this comment. This first sentence should probably be considered or used for comparison in the section "Transport vs HTTP". We probably want to explain that this is not that relevant for HTTP, and for HTTP, for operational purposes (and because we have extra authentication and authorization mechanisms), it's common to not use dedicated CAs per cluster, and even public / organizational CAs that are automatically trusted by the clients. Of course this will depend on the use case, as in certain use cases it might have sense to have the HTTP layer also super-protected at TLS level. We should end up with the recommendation that as minimum, if they use private CAs, they should create a private CA to generate transport certs, and another private CA to generate HTTP certs. This relates with the comment in the "transport vs HTTP" section.
Contributor
There was a problem hiding this comment. I'm not sure what concrete change you're suggesting here. The title of this page is
Contributor
There was a problem hiding this comment. Sorry if I wasn't clear enough @DaveCTurner , I wasn't suggesting a change there, just highlighting that the style and content of that first paragraph could be used in the section where we compare HTTP and transport. |
||
|
|
||
| Certificates used for transport mTLS must either have no Extended Key Usage extension, or include both `clientAuth` and `serverAuth` values in the extension. Public certificate authorities typically omit the `clientAuth` value in the Extended Key Usage extension, making them unsuitable for mTLS. | ||
|
|
||
| ### Transport certificates vs. HTTP certificates | ||
|
|
||
| Transport certificates have different security requirements than [HTTP certificates](/deploy-manage/security/secure-cluster-communications.md#encrypt-http-communication). HTTP server certificates don't require the `clientAuth` Extended Key Usage extension because they are used solely for server authentication, regardless of whether mTLS is enabled. In practice, HTTP connections don't typically use mTLS because HTTP has its own authentication mechanisms. | ||
|
|
||
| HTTP certificates can come from public or organization-wide certificate authorities, while transport certificates should use a cluster-specific private CA. In most cases, you should not use the same CA or certificate for both HTTP and transport connections. | ||
|
Collaborator
Author
There was a problem hiding this comment. note "CA or certificate" here
Contributor
There was a problem hiding this comment. I like it a lot, thanks!! |
||
|
|
||
| ## Turning off mTLS for transport connections [turn-off-mtls] | ||
|
|
||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.