Configuring SSL for Kibana

You can configure SSL for Kibana. When you configure SSL for Kibana, you need to set the SSL Option field (in the Kibana section) on the Search Instance Properties page to ENABLE.

To set up SSL for Kibana, complete these steps:

  1. Configuration required in kibana.yml:

    server.ssl.enabled: true
server.ssl.certificate: <certificate issued by server> (for example, signed.cer)
server.ssl.key: <keystore> (for example, mykeystore.key)

    If Elasticsearch is SSL enabled, you need to complete the following additional configuration:

    elasticsearch.ssl.certificateAuthorities:(for example,"C:\ES\elasticsearch7.0\plugins\orcl-security-plugin\config\properties\cacert.cer")

    Note: Keystore and certificate should be placed in the bin (default) folder or config folder (specify the path in kibana.yml).

  2. Import the trusted root from CA and save it locally (for example, D:\ca\cacert.cer).

  3. Import root certificate from CA to the keystore using keytool:

    JAVA_HOME\bin>keytool -importcert -keystore KIBANA_HOME/bin/mykeystore.jks -file D:\ca\cacert.cer -alias my_ca

  4. Setting up keystore and private key:

    keytool -genkey -alias alias1 -keystore KIBANA_HOME/bin/mykeystore.jks -keyalg RSA -keysize 2048 -validity 712

  5. Create certificate signing request:

    keytool -certreq -alias alias1 -keystore KIBANA_HOME/bin/mykeystore.jks -file D:\ca\mycsr.csr -keyalg rsa

    This command creates a CSR as follows (this CSR is only for sample reference):

    -----BEGIN NEW CERTIFICATE REQUEST-----
MIIC6zCCAdMCAQAwdjELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUthcm5hdGFrYTESMBAGA1UEBxMJ QmFuZ2Fsb3JlMQ8wDQYDVQQKEwZPcmFjbGUxEzARBgNVBAsTClBlb3BsZXNvZnQxGTAXBgNVBAMT EFJvaGluaSBQYWxsaXlhbGkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCT1Tr4o6Yi v/dkwqhiCJ4d6ddVhyGTMzBHSQB6tvl0GvNWjmJMQXWEpAsu6gOgoECY0HwGC4L1bQh7hiwyT3ub ckTYnWULNgf1WulUIpyU9Z3Aj1BV3uhZWWJPnTC1JRyXIdvOMocpIM3YdQF1ZY3eOMY3Y1KT3ZMO GnDQzpSLFuXcVyAWbg32LKE9SW2zVIM8ueb6h1szv3U3KhJB7dI5inpoXg7cpnZxzjUK303HhB5l im0O3aPslhLb9rt9KjhAI4nxrpM9FEoAZI9V1NVpqfIksdBLVRnCqZGbNqH5n2nW3on5OFoNoRUI mTBc6VswPxHDz+bBAgcE0U8ETY39AgMBAAGgMDAuBgkqhkiG9w0BCQ4xITAfMB0GA1UdDgQWBBTJQ2nGlpP2ke5Z8HBrfvnBsgUjWTANBgkqhkiG9w0BAQsFAAOCAQEAEmcwNcQnAPTXfpHHbUIpsY+/ NhmfaltnhDq6AAcOL/rBmymgafdqDlIGWJ7tYJ/1zCjkFx9zeIh6RKhBHjzpuf8uM7Q1JJVB7CKI GP5UxJEs4bsgOqjSs8m71zGEW1D9gopYhGQJmcJr929NeR9k4cMMLpSbpsox2CPjstiepzIVKJEq ppqG3G+PXUZMW04Va/SCGhMNdcLsd6XV3I5UWNCMNuJFEyBF4KVH6EJf59/vt3L2tQaV2X7JydcH 8llaFxBPwCJe2GCB7Yo9Pi9OlkDFIkk2cAHry576Gf/T7GwHBg4/4T/vCRV1aZtKaRYJDmUW+5ae 4Nmzp3YwcTrdzg==
-----END NEW CERTIFICATE REQUEST-----

  6. Use the CSR to get a certificate from CA. Download it and save it locally (for example, D:\ca\signed.cer).

  7. Import the certificate to the keystore:

    keytool -importcert -keystore KIBANA_HOME/bin/mykeystore.jks -file D:\ca\signed.cer -alias alias1

  8. Convert the keystore file to pem format because Kibana does not support any other format.

    keytool -importkeystore -srckeystore KIBANA_HOME/bin/mykeystore.jks -destkeystore KIBANA_HOME/bin/mykeystore.p12 -srcstoretype jks -deststoretype pkcs12

    Move the intermediate mykeystore.p12 file to Linux and execute the below commands:

    openssl pkcs12 -in mykeystore.p12 -out mykeystore.pem

    Or directly use this command:

    keytool -list -rfc -keystore "mykeystore.jks" | sed -e "/-*BEGIN [A-Z]*-*/,/-*END [A-Z]-*/!d" >> "myKeystore.pem"

  9. Convert the pem file to .key format:openssl rsa -in mykeystore.pem -out mykeystore.key

  10. Update the kibana.yml file with the SSL settings.