Configure SSL/TLS
editConfigure SSL/TLS
editThere are a number of SSL configuration settings available depending on whether you are configuring a client, server, or both. See the following tables for available settings:
- Table 1, “Common configuration options”. These settings are valid in both client and server configurations.
- Table 2, “Client configuration options”
- Table 3, “Server configuration options”
For more information about using certificates, refer to Secure connections.
Table 1. Common configuration options
Setting | Description |
---|---|
(string) This configures a certificate pin that you can use to ensure that a specific certificate is part of the verified chain. The pin is a base64 encoded string of the SHA-256 of the certificate. This check is not a replacement for the normal SSL validation, but it adds
additional validation. If this setting is used with |
|
(list) The list of cipher suites to use. The first entry has the highest priority. If this option is omitted, the Go crypto library’s default suites are used (recommended). Note that TLS 1.3 cipher suites are not individually configurable in Go, so they are not included in this list. The following cipher suites are available:
Here is a list of acronyms used in defining the cipher suites:
|
|
(list) The list of curve types for ECDHE (Elliptic Curve Diffie-Hellman ephemeral key exchange). The following elliptic curve types are available:
|
|
(boolean) Enables or disables the SSL configuration. Default: SSL settings are disabled if either |
|
(list) List of allowed SSL/TLS versions. If the SSL/TLS server supports none
of the specified versions, the connection will be dropped during or after the
handshake. The list of allowed protocol versions include: Default: |
Table 2. Client configuration options
Setting | Description |
---|---|
(string) The path to the certificate for SSL client authentication. This
setting is only required if Example: ssl.certificate: "/path/to/cert.pem" When this setting is configured, the Specify a path, or embed a certificate directly in the ssl.certificate: | -----BEGIN CERTIFICATE----- CERTIFICATE CONTENT APPEARS HERE -----END CERTIFICATE----- |
|
(list) The list of root certificates for verifications (required). If
Example: ssl.certificate_authorities: ["/path/to/root/ca.pem"] Specify a list of files that Elastic Agent will read, or embed a certificate directly
in the ssl.certificate_authorities: - | -----BEGIN CERTIFICATE----- CERTIFICATE CONTENT APPEARS HERE -----END CERTIFICATE----- |
|
(string) The client certificate key used for client authentication. Only
required if Example: ssl.key: "/path/to/cert.key" Specify a path, or embed the private key directly in the ssl.key: | -----BEGIN PRIVATE KEY----- KEY CONTENT APPEARS HERE -----END PRIVATE KEY----- |
|
(string) The passphrase used to decrypt an encrypted key stored in the
configured |
|
(string) Controls the verification of server certificates. Valid values are:
Default: |
|
(string) A HEX encoded SHA-256 of a CA certificate. If this certificate is
present in the chain during the handshake, it will be added to the
Example: ssl.ca_trusted_fingerprint: 3b24d33844d6553...826 |
Table 3. Server configuration options
Setting | Description |
---|---|
(string) The path to the certificate for SSL server authentication. If the certificate is not specified, startup will fail. Example: ssl.certificate: "/path/to/server/cert.pem" When this setting is configured, the Specify a path, or embed a certificate directly in the ssl.certificate: | -----BEGIN CERTIFICATE----- CERTIFICATE CONTENT APPEARS HERE -----END CERTIFICATE----- |
|
(list) The list of root certificates for client verifications is only required
if Example: ssl.certificate_authorities: ["/path/to/root/ca.pem"] Specify a list of files that Elastic Agent will read, or embed a certificate directly
in the ssl.certificate_authorities: - | -----BEGIN CERTIFICATE----- CERTIFICATE CONTENT APPEARS HERE -----END CERTIFICATE----- |
|
(string) Configures client authentication. The valid options are:
Default: |
|
(string) The server certificate key used for authentication (required). Example: ssl.key: "/path/to/server/cert.key" Specify a path, or embed the private key directly in the ssl.key: | -----BEGIN PRIVATE KEY----- KEY CONTENT APPEARS HERE -----END PRIVATE KEY----- |
|
(string) The passphrase used to decrypt an encrypted key stored in the
configured |
|
(string) Configures the type of TLS renegotiation to support. The valid options are:
Default: |
|
(string) Controls the verification of client certificates. Valid values are:
Default: |