Skip to content

[8.x] Set keyUsage for generated HTTP certificates and self-signed CA (#126376) (#126448) #126454

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 8, 2025
Merged

[8.x] Set keyUsage for generated HTTP certificates and self-signed CA (#126376) (#126448) #126454

merged 1 commit into from
Apr 8, 2025

Conversation

slobodanadamovic
Copy link
Contributor

Backports the following commits to 8.x:

@slobodanadamovic
Set keyUsage for generated HTTP certificates and self-signed CA (el…
d0915f9 
…astic#126376) (elastic#126448)

* Set `keyUsage` for generated HTTP certificates and self-signed CA (elastic#126376)

The `elasticsearch-certutil http` command, and security auto-configuration,
generate the HTTP certificate and CA without setting the `keyUsage` extension.

This PR fixes this by setting (by default):
- `keyCertSign` and `cRLSign` for self-signed CAs
- `digitalSignature` and `keyEncipherment` for HTTP certificates and CSRs

These defaults can be overridden when running `elasticsearch-certutil http`
command. The user will be prompted to change them as they wish.

For `elasticsearch-certutil ca`, the default value can be overridden by passing
the `--keysage` option, e.g.
```
elasticsearch-certutil ca --keyusage "digitalSignature,keyCertSign,cRLSign" -pem
```

Fixes elastic#117769

(cherry picked from commit 284121a)

# Conflicts:
#	docs/reference/elasticsearch/command-line-tools/certutil.md

* fix compilation error

* [CI] Auto commit changes from spotless

* fix failing test

---------

Co-authored-by: elasticsearchmachine <[email protected]>
@slobodanadamovic slobodanadamovic added :Security/TLS SSL/TLS, Certificates >bug auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) backport Team:Security Meta label for security team labels Apr 8, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 8, 2025

Documentation preview:

@elasticsearchmachine elasticsearchmachine mentioned this pull request Apr 8, 2025
Merged
@slobodanadamovic slobodanadamovic mentioned this pull request Apr 8, 2025
Merged
@elasticsearchmachine elasticsearchmachine merged commit 1f74c16 into elastic:8.x Apr 8, 2025
21 checks passed
@slobodanadamovic slobodanadamovic deleted the backport/8.x/pr-126448 branch April 8, 2025 11:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

auto-merge-without-approval Automatically merge pull request when CI checks pass (NB doesn't wait for reviews!) backport >bug :Security/TLS SSL/TLS, Certificates Team:Security Meta label for security team v8.19.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@slobodanadamovic @elasticsearchmachine