Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 79d6c3e70d
Branches Tags
elasticsearch
/
docs
/
reference
/
rest-api
/
security
/
ssl.asciidoc

ssl.asciidoc 4.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122 
  1. [role="xpack"]
    2. 

  2. [[security-api-ssl]]
    3. 

  3. === SSL certificate API
    4. 

  4. ++++
    5. 

  5. <titleabbrev>SSL certificate</titleabbrev>
    6. 

  6. ++++
    7. 

  7. 

  8. The `certificates` API enables you to retrieve information about the X.509
    9. 

  9. certificates that are used to encrypt communications in your {es} cluster.
    10. 

  10. 

  11. [[security-api-ssl-request]]
    12. 

  12. ==== {api-request-title}
    13. 

  13. 

  14. `GET /_ssl/certificates`
    15. 

  15. 

  16. 

  17. [[security-api-ssl-prereqs]]
    18. 

  18. ==== {api-prereq-title}
    19. 

  19. 

  20. * If the {security-features} are enabled, you must have `monitor` cluster
    21. 

  21. privileges to use this API. For more information, see
    22. 

  22. <<security-privileges>>.
    23. 

  23. 

  24. [[security-api-ssl-desc]]
    25. 

  25. ==== {api-description-title}
    26. 

  26. 

  27. For more information about how certificates are configured in conjunction with
    28. 

  28. Transport Layer Security (TLS), see
    29. 

  29. <<encrypt-internode-communication>>.
    30. 

  30. 

  31. The API returns a list that includes certificates from all TLS contexts
    32. 

  32. including:
    33. 

  33. 

  34. * Settings for transport and HTTP interfaces
    35. 

  35. * TLS settings that are used within authentication realms
    36. 

  36. * TLS settings for remote monitoring exporters
    37. 

  37. 

  38. The list includes certificates that are used for configuring trust, such as
    39. 

  39. those configured in the `xpack.security.transport.ssl.truststore` and
    40. 

  40. `xpack.security.transport.ssl.certificate_authorities` settings. It also
    41. 

  41. includes certificates that are used for configuring server identity, such as
    42. 

  42. `xpack.security.http.ssl.keystore` and
    43. 

  43. `xpack.security.http.ssl.certificate` settings.
    44. 

  44. 

  45. The list does not include certificates that are sourced from the default SSL
    46. 

  46. context of the Java Runtime Environment (JRE), even if those certificates are in
    47. 

  47. use within {es}.
    48. 

  48. 

  49. NOTE: When a PKCS#11 token is configured as the truststore of the JRE, the API
    50. 

  50. will return all the certificates that are included in the PKCS#11 token
    51. 

  51. irrespectively to whether these are used in the {es} TLS configuration or not.
    52. 

  52. 

  53. If {es} is configured to use a keystore or truststore, the API output
    54. 

  54. includes all certificates in that store, even though some of the certificates
    55. 

  55. might not be in active use within the cluster.
    56. 

  56. 

  57. [[security-api-ssl-response-body]]
    58. 

  58. ==== {api-response-body-title}
    59. 

  59. 

  60. The response is an array of objects, with each object representing a
    61. 

  61. single certificate. The fields in each object are:
    62. 

  62. 

  63. `path`:: (string) The path to the certificate, as configured in the
    64. 

  64. `elasticsearch.yml` file.
    65. 

  65. `format`:: (string) The format of the file. One of: `jks`, `PKCS12`, `PEM`.
    66. 

  66. `alias`:: (string) If the path refers to a container file (a jks keystore, or a
    67. 

  67.   PKCS#12 file), the alias of the certificate. Otherwise, null.
    68. 

  68. `subject_dn`:: (string) The Distinguished Name of the certificate's subject.
    69. 

  69. `serial_number`:: (string) The hexadecimal representation of the certificate's
    70. 

  70. serial number.
    71. 

  71. `has_private_key`:: (Boolean) Indicates whether {es} has access to the private
    72. 

  72. key for this certificate.
    73. 

  73. `expiry`:: (string) The ISO formatted date of the certificate's expiry
    74. 

  74. (not-after) date.
    75. 

  75. `issuer`:: (string) The Distinguished Name of the certificate's issuer.
    76. 

  76. 

  77. [[security-api-ssl-example]]
    78. 

  78. ==== {api-examples-title}
    79. 

  79. 

  80. The following example provides information about the certificates on a single
    81. 

  81. node of {es}:
    82. 

  82. 

  83. [source,console]
    84. 

  84. --------------------------------------------------
    85. 

  85. GET /_ssl/certificates
    86. 

  86. --------------------------------------------------
    87. 

  87. 

  88. The API returns the following results:
    89. 

  89. 

  90. [source,js]
    91. 

  91. ----
    92. 

  92. [
    93. 

  93.   {
    94. 

  94.     "path": "certs/elastic-certificates.p12",
    95. 

  95.     "format": "PKCS12",
    96. 

  96.     "alias": "instance",
    97. 

  97.     "subject_dn": "CN=Elastic Certificate Tool Autogenerated CA",
    98. 

  98.     "serial_number": "a20f0ee901e8f69dc633ff633e5cd5437cdb4137",
    99. 

  99.     "has_private_key": false,
    100. 

  100.     "expiry": "2021-01-15T20:42:49.000Z"
    101. 

  101.   },
    102. 

  102.   {
    103. 

  103.     "path": "certs/elastic-certificates.p12",
    104. 

  104.     "format": "PKCS12",
    105. 

  105.     "alias": "ca",
    106. 

  106.     "subject_dn": "CN=Elastic Certificate Tool Autogenerated CA",
    107. 

  107.     "serial_number": "a20f0ee901e8f69dc633ff633e5cd5437cdb4137",
    108. 

  108.     "has_private_key": false,
    109. 

  109.     "expiry": "2021-01-15T20:42:49.000Z"
    110. 

  110.   },
    111. 

  111.   {
    112. 

  112.     "path": "certs/elastic-certificates.p12",
    113. 

  113.     "format": "PKCS12",
    114. 

  114.     "alias": "instance",
    115. 

  115.     "subject_dn": "CN=instance",
    116. 

  116.     "serial_number": "fc1905e1494dc5230218d079c47a617088f84ce0",
    117. 

  117.     "has_private_key": true,
    118. 

  118.     "expiry": "2021-01-15T20:44:32.000Z"
    119. 

  119.   }
    120. 

  120. ]
    121. 

  121. ----
    122. 

  122. // NOTCONSOLE
    123.