Skip to content

[9.0] Set keyUsage for generated HTTP certificates and self-signed CA (#126376) #126447

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 8, 2025
Merged

[9.0] Set keyUsage for generated HTTP certificates and self-signed CA (#126376) #126447

merged 1 commit into from
Apr 8, 2025

Conversation

slobodanadamovic
Copy link
Contributor

Backports the following commits to 9.0:

@slobodanadamovic
Set keyUsage for generated HTTP certificates and self-signed CA (el…
86467fa 
…astic#126376)

The `elasticsearch-certutil http` command, and security auto-configuration, 
generate the HTTP certificate and CA without setting the `keyUsage` extension.

This PR fixes this by setting (by default):
- `keyCertSign` and `cRLSign` for self-signed CAs 
- `digitalSignature` and `keyEncipherment` for HTTP certificates and CSRs

These defaults can be overridden when running `elasticsearch-certutil http` 
command. The user will be prompted to change them as they wish.

For `elasticsearch-certutil ca`, the default value can be overridden by passing 
the `--keysage` option, e.g.
```
elasticsearch-certutil ca --keyusage "digitalSignature,keyCertSign,cRLSign" -pem    
```

Fixes elastic#117769
@slobodanadamovic slobodanadamovic added :Security/TLS SSL/TLS, Certificates >bug auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) backport Team:Security Meta label for security team labels Apr 8, 2025
@elasticsearchmachine elasticsearchmachine mentioned this pull request Apr 8, 2025
Merged
@elasticsearchmachine elasticsearchmachine merged commit 112859b into elastic:9.0 Apr 8, 2025
21 checks passed
@slobodanadamovic slobodanadamovic deleted the backport/9.0/pr-126376 branch April 8, 2025 08:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) backport >bug :Security/TLS SSL/TLS, Certificates Team:Security Meta label for security team v9.0.1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@slobodanadamovic @elasticsearchmachine