How to check which certificates are being used from API?

Hello,

Is it possible to retrieve informations about the certificates (transport, rest…) that are currently being used in the cluster from within the API?

In the documentation there is something regarding this subject : API - Open Distro for Elasticsearch Documentation but I don’t think it actually gives any information about the certificates. Here is the output I get for the endpoint _opendistro/_security/api/securityconfig :

{

    "config": {

        "dynamic": {

            "filtered_alias_mode": "warn",

            "disable_rest_auth": false,

            "disable_intertransport_auth": false,

            "respect_request_indices_options": false,

            "kibana": {

                "multitenancy_enabled": true,

                "server_username": "kibanaserver",

                "index": ".kibana"

            },

            "http": {

                "anonymous_auth_enabled": false,

                "xff": {

                    "enabled": false,

                    "internalProxies": "192\\.168\\.0\\.10|192\\.168\\.0\\.11",

                    "remoteIpHeader": "X-Forwarded-For"

                }

            },

            "authc": {

                "jwt_auth_domain": {

                    "http_enabled": false,

                    "transport_enabled": false,

                    "order": 0,

                    "http_authenticator": {

                        "challenge": false,

                        "type": "jwt",

                        "config": {

                            "signing_key": "base64 encoded HMAC key or public RSA/ECDSA pem key",

                            "jwt_header": "Authorization"

                        }

                    },

                    "authentication_backend": {

                        "type": "noop",

                        "config": {}

                    },

                    "description": "Authenticate via Json Web Token"

                },

                "ldap": {

                    "http_enabled": false,

                    "transport_enabled": false,

                    "order": 5,

                    "http_authenticator": {

                        "challenge": false,

                        "type": "basic",

                        "config": {}

                    },

                    "authentication_backend": {

                        "type": "ldap",

                        "config": {

                            "enable_ssl": false,

                            "enable_start_tls": false,

                            "enable_ssl_client_auth": false,

                            "verify_hostnames": true,

                            "hosts": [

                                "localhost:8389"

                            ],

                            "userbase": "ou=people,dc=example,dc=com",

                            "usersearch": "(sAMAccountName={0})"

                        }

                    },

                    "description": "Authenticate via LDAP or Active Directory"

                },

                "basic_internal_auth_domain": {

                    "http_enabled": true,

                    "transport_enabled": true,

                    "order": 4,

                    "http_authenticator": {

                        "challenge": true,

                        "type": "basic",

                        "config": {}

                    },

                    "authentication_backend": {

                        "type": "intern",

                        "config": {}

                    },

                    "description": "Authenticate via HTTP Basic against internal users database"

                },

                "proxy_auth_domain": {

                    "http_enabled": false,

                    "transport_enabled": false,

                    "order": 3,

                    "http_authenticator": {

                        "challenge": false,

                        "type": "proxy",

                        "config": {

                            "user_header": "x-proxy-user",

                            "roles_header": "x-proxy-roles"

                        }

                    },

                    "authentication_backend": {

                        "type": "noop",

                        "config": {}

                    },

                    "description": "Authenticate via proxy"

                },

                "clientcert_auth_domain": {

                    "http_enabled": false,

                    "transport_enabled": false,

                    "order": 2,

                    "http_authenticator": {

                        "challenge": false,

                        "type": "clientcert",

                        "config": {

                            "username_attribute": "cn"

                        }

                    },

                    "authentication_backend": {

                        "type": "noop",

                        "config": {}

                    },

                    "description": "Authenticate via SSL client certificates"

                },

                "kerberos_auth_domain": {

                    "http_enabled": false,

                    "transport_enabled": false,

                    "order": 6,

                    "http_authenticator": {

                        "challenge": true,

                        "type": "kerberos",

                        "config": {

                            "krb_debug": false,

                            "strip_realm_from_principal": true

                        }

                    },

                    "authentication_backend": {

                        "type": "noop",

                        "config": {}

                    }

                }

            },

            "authz": {

                "roles_from_another_ldap": {

                    "http_enabled": false,

                    "transport_enabled": false,

                    "authorization_backend": {

                        "type": "ldap",

                        "config": {}

                    },

                    "description": "Authorize via another Active Directory"

                },

                "roles_from_myldap": {

                    "http_enabled": false,

                    "transport_enabled": false,

                    "authorization_backend": {

                        "type": "ldap",

                        "config": {

                            "enable_ssl": false,

                            "enable_start_tls": false,

                            "enable_ssl_client_auth": false,

                            "verify_hostnames": true,

                            "hosts": [

                                "localhost:8389"

                            ],

                            "rolebase": "ou=groups,dc=example,dc=com",

                            "rolesearch": "(member={0})",

                            "userrolename": "disabled",

                            "rolename": "cn",

                            "resolve_nested_roles": true,

                            "userbase": "ou=people,dc=example,dc=com",

                            "usersearch": "(uid={0})"

                        }

                    },

                    "description": "Authorize via LDAP or Active Directory"

                }

            },

            "auth_failure_listeners": {},

            "do_not_fail_on_forbidden": false,

            "multi_rolespan_enabled": true,

            "hosts_resolver_mode": "ip-only",

            "do_not_fail_on_forbidden_empty": false

        }

    }

}

Yes. You can use openssl s_client -connect IP_address:port_number

i.e.

openssl s_client -connect localhost:9200
openssl s_client -connect localhost:9300

2 Likes