Skip to content

Commit

Permalink
Add note about elliptic-curve restriction (#1350)
Browse files Browse the repository at this point in the history
* Add note about elliptic-curve restriction

* Update note and include for both TLS and mTLS

(cherry picked from commit 82d6349)
  • Loading branch information
kilfoyle authored and mergify[bot] committed Oct 1, 2024
1 parent e644d14 commit 78ca87d
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 0 deletions.
2 changes: 2 additions & 0 deletions docs/en/ingest-management/security/certificates.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@ openssl pkcs12 -in path.p12 -out private.key -nocerts -nodes
Key passwords are not currently supported.
====

IMPORTANT: When you run {agent} with the {elastic-defend} integration, the link:https://en.wikipedia.org/wiki/X.509[TLS certificates] used to connect to {fleet-server} and {es} need to be generated using link:https://en.wikipedia.org/wiki/RSA_(cryptosystem)[RSA]. For a full list of available algorithms to use when configuring TLS or mTLS, see <<elastic-agent-ssl-configuration,Configure SSL/TLS for standalone {agents}>>. These settings are available for both standalone and {fleet}-managed {agent}.

[discrete]
[[generate-fleet-server-certs]]
== Generate a custom certificate and private key for {fleet-server}
Expand Down
2 changes: 2 additions & 0 deletions docs/en/ingest-management/security/mutual-tls.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,8 @@ When mTLS is required, the secure setup between {agent}, {fleet}, and {fleet-ser
.. If the {agent} policy contains mTLS configuration settings, those settings will take precedence over those used during enrollment: This includes both the mTLS settings used for connectivity between {agent} and {fleet-server} (and the {fleet} application in {kib}, for {fleet}-managed {agent}), and the settings used between {agent} and it's specified output.
.. If the {agent} policy does not contain any TLS, mTLS, or proxy configuration settings, these settings will remain as they were specified when {agent} enrolled. Note that the initial TLS, mTLS, or proxy configuration settings can not be removed through the {agent} policy; they can only be updated.
IMPORTANT: When you run {agent} with the {elastic-defend} integration, the link:https://en.wikipedia.org/wiki/X.509[TLS certificates] used to connect to {fleet-server} and {es} need to be generated using link:https://en.wikipedia.org/wiki/RSA_(cryptosystem)[RSA]. For a full list of available algorithms to use when configuring TLS or mTLS, see <<elastic-agent-ssl-configuration,Configure SSL/TLS for standalone {agents}>>. These settings are available for both standalone and {fleet}-managed {agent}.
[discrete]
[[mutual-tls-on-premise]]
== On-premise deployments
Expand Down

0 comments on commit 78ca87d

Please sign in to comment.