Local setup for Elasticsearch with Xpack and Spring

Question

I locally installed Elasticsearch with X-Pack and Kibana 8.2.2 and made it up and running. I also created a new project with Spring and Java that would connect with Elasticsearch. When running Elasticsearch for the first time it creates a certificate for the http and transport layers.

I want to use a certificate in Spring to login into Elasticsearch. Therefore I added elasticsearch-rest-client. My problem is, which certificate do I need from Elasticsearch to connect to it and be able to create e.g. role-mappings? So that I have superuser rights?

Answer 1

Quoting the documentation:

When Elasticsearch is configured to require client TLS authentication, for example when a PKI realm is configured, the client needs to provide a client certificate during the TLS handshake in order to authenticate. The following is an example of setting up the client for TLS authentication with a certificate and a private key that are stored in a PKCS#12 keystore.

If the client certificate and key are not available in a keystore but rather as PEM encoded files, you cannot use them directly to build an SSLContext. You must rely on external libraries to parse the PEM key into a PrivateKey instance. Alternatively, you can use external tools to build a keystore from your PEM files, as shown in the following example: openssl pkcs12 -export -in client.crt -inkey private_key.pem -name "client" -out client.p12

How to set up PKI user authentication has a multi-page documentation and you'll be best served by using the one for your specific Elasticsearch version. The current version is available at https://www.elastic.co/guide/en/elasticsearch/reference/current/pki-realm.html but replace the current in the URL with whatever minor version you want to use (like 8.6).

PS: PKI authentication is a platinum licensed feature. But you can of course set it up with the free 30 day trial to see how it works.