首頁 探索 說明
註冊 登入
lqb
/
elasticsearch
镜像来自 https://gitee.com/mirrors/elasticsearch.git
1
0
複刻 0
Files 問題管理 0 Wiki
目錄樹: 442fc1f3b6
分支列表 標籤列表
elasticsearch
/
docs
/
reference
/
rest-api
/
security
/
ssl.asciidoc

ssl.asciidoc 4.2 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128 
  1. [role="xpack"]
    2. 

  2. [[security-api-ssl]]
    3. 

  3. === SSL certificate API
    4. 

  4. ++++
    5. 

  5. <titleabbrev>SSL certificate</titleabbrev>
    6. 

  6. ++++
    7. 

  7. 

  8. .New API reference
    9. 

  9. [sidebar]
    10. 

  10. --
    11. 

  11. For the most up-to-date API details, refer to {api-es}/group/endpoint-security[Security APIs].
    12. 

  12. --
    13. 

  13. 

  14. The `certificates` API enables you to retrieve information about the X.509
    15. 

  15. certificates that are used to encrypt communications in your {es} cluster.
    16. 

  16. 

  17. [[security-api-ssl-request]]
    18. 

  18. ==== {api-request-title}
    19. 

  19. 

  20. `GET /_ssl/certificates`
    21. 

  21. 

  22. 

  23. [[security-api-ssl-prereqs]]
    24. 

  24. ==== {api-prereq-title}
    25. 

  25. 

  26. * If the {security-features} are enabled, you must have `monitor` cluster
    27. 

  27. privileges to use this API. For more information, see
    28. 

  28. <<security-privileges>>.
    29. 

  29. 

  30. [[security-api-ssl-desc]]
    31. 

  31. ==== {api-description-title}
    32. 

  32. 

  33. For more information about how certificates are configured in conjunction with
    34. 

  34. Transport Layer Security (TLS), see
    35. 

  35. <<encrypt-internode-communication>>.
    36. 

  36. 

  37. The API returns a list that includes certificates from all TLS contexts
    38. 

  38. including:
    39. 

  39. 

  40. * Settings for transport and HTTP interfaces
    41. 

  41. * TLS settings that are used within authentication realms
    42. 

  42. * TLS settings for remote monitoring exporters
    43. 

  43. 

  44. The list includes certificates that are used for configuring trust, such as
    45. 

  45. those configured in the `xpack.security.transport.ssl.truststore` and
    46. 

  46. `xpack.security.transport.ssl.certificate_authorities` settings. It also
    47. 

  47. includes certificates that are used for configuring server identity, such as
    48. 

  48. `xpack.security.http.ssl.keystore` and
    49. 

  49. `xpack.security.http.ssl.certificate` settings.
    50. 

  50. 

  51. The list does not include certificates that are sourced from the default SSL
    52. 

  52. context of the Java Runtime Environment (JRE), even if those certificates are in
    53. 

  53. use within {es}.
    54. 

  54. 

  55. NOTE: When a PKCS#11 token is configured as the truststore of the JRE, the API
    56. 

  56. will return all the certificates that are included in the PKCS#11 token
    57. 

  57. irrespectively to whether these are used in the {es} TLS configuration or not.
    58. 

  58. 

  59. If {es} is configured to use a keystore or truststore, the API output
    60. 

  60. includes all certificates in that store, even though some of the certificates
    61. 

  61. might not be in active use within the cluster.
    62. 

  62. 

  63. [[security-api-ssl-response-body]]
    64. 

  64. ==== {api-response-body-title}
    65. 

  65. 

  66. The response is an array of objects, with each object representing a
    67. 

  67. single certificate. The fields in each object are:
    68. 

  68. 

  69. `path`:: (string) The path to the certificate, as configured in the
    70. 

  70. `elasticsearch.yml` file.
    71. 

  71. `format`:: (string) The format of the file. One of: `jks`, `PKCS12`, `PEM`.
    72. 

  72. `alias`:: (string) If the path refers to a container file (a jks keystore, or a
    73. 

  73.   PKCS#12 file), the alias of the certificate. Otherwise, null.
    74. 

  74. `subject_dn`:: (string) The Distinguished Name of the certificate's subject.
    75. 

  75. `serial_number`:: (string) The hexadecimal representation of the certificate's
    76. 

  76. serial number.
    77. 

  77. `has_private_key`:: (Boolean) Indicates whether {es} has access to the private
    78. 

  78. key for this certificate.
    79. 

  79. `expiry`:: (string) The ISO formatted date of the certificate's expiry
    80. 

  80. (not-after) date.
    81. 

  81. `issuer`:: (string) The Distinguished Name of the certificate's issuer.
    82. 

  82. 

  83. [[security-api-ssl-example]]
    84. 

  84. ==== {api-examples-title}
    85. 

  85. 

  86. The following example provides information about the certificates on a single
    87. 

  87. node of {es}:
    88. 

  88. 

  89. [source,console]
    90. 

  90. --------------------------------------------------
    91. 

  91. GET /_ssl/certificates
    92. 

  92. --------------------------------------------------
    93. 

  93. 

  94. The API returns the following results:
    95. 

  95. 

  96. [source,js]
    97. 

  97. ----
    98. 

  98. [
    99. 

  99.   {
    100. 

  100.     "path": "certs/elastic-certificates.p12",
    101. 

  101.     "format": "PKCS12",
    102. 

  102.     "alias": "instance",
    103. 

  103.     "subject_dn": "CN=Elastic Certificate Tool Autogenerated CA",
    104. 

  104.     "serial_number": "a20f0ee901e8f69dc633ff633e5cd5437cdb4137",
    105. 

  105.     "has_private_key": false,
    106. 

  106.     "expiry": "2021-01-15T20:42:49.000Z"
    107. 

  107.   },
    108. 

  108.   {
    109. 

  109.     "path": "certs/elastic-certificates.p12",
    110. 

  110.     "format": "PKCS12",
    111. 

  111.     "alias": "ca",
    112. 

  112.     "subject_dn": "CN=Elastic Certificate Tool Autogenerated CA",
    113. 

  113.     "serial_number": "a20f0ee901e8f69dc633ff633e5cd5437cdb4137",
    114. 

  114.     "has_private_key": false,
    115. 

  115.     "expiry": "2021-01-15T20:42:49.000Z"
    116. 

  116.   },
    117. 

  117.   {
    118. 

  118.     "path": "certs/elastic-certificates.p12",
    119. 

  119.     "format": "PKCS12",
    120. 

  120.     "alias": "instance",
    121. 

  121.     "subject_dn": "CN=instance",
    122. 

  122.     "serial_number": "fc1905e1494dc5230218d079c47a617088f84ce0",
    123. 

  123.     "has_private_key": true,
    124. 

  124.     "expiry": "2021-01-15T20:44:32.000Z"
    125. 

  125.   }
    126. 

  126. ]
    127. 

  127. ----
    128. 

  128. // NOTCONSOLE
    129.