Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add documentation for elastic-agent-cert-key-passphrase option #1413

Merged
merged 7 commits into from
Nov 4, 2024
16 changes: 16 additions & 0 deletions docs/en/ingest-management/commands.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,7 @@ elastic-agent enroll --url <string>
[--delay-enroll]
[--elastic-agent-cert <string>]
[--elastic-agent-cert-key <string>]
[--elastic-agent-cert-key-passphrase <string>]
[--force]
[--header <strings>]
[--help]
Expand Down Expand Up @@ -191,6 +192,7 @@ elastic-agent enroll --fleet-server-es <string>
[--delay-enroll]
[--elastic-agent-cert <string>]
[--elastic-agent-cert-key <string>]
[--elastic-agent-cert-key-passphrase <string>]
[--fleet-server-cert <string>] <1>
[--fleet-server-cert-key <string>]
[--fleet-server-cert-key-passphrase <string>]
Expand Down Expand Up @@ -251,6 +253,12 @@ Certificate to use as the client certificate for the {agent}'s connections to {f
`--elastic-agent-cert-key`::
Private key to use as for the {agent}'s connections to {fleet-server}.

`--elastic-agent-cert-key-passphrase`::
The path to the file that contains the passphrase for the mutual TLS private key that {agent} will use to connect to {fleet-server}.
The file must only contain the characters of the passphrase, no newline or extra non-printing characters.
+
This option is only used if the `--elastic-agent-cert-key` is encrypted and requires a passphrase to use.

`--enrollment-token <string>`::
Enrollment token to use to enroll {agent} into {fleet}. You can use
the same enrollment token for multiple agents.
Expand Down Expand Up @@ -580,6 +588,7 @@ elastic-agent install --url <string>
[--delay-enroll]
[--elastic-agent-cert <string>]
[--elastic-agent-cert-key <string>]
[--elastic-agent-cert-key-passphrase <string>]
[--force]
[--header <strings>]
[--help]
Expand Down Expand Up @@ -611,6 +620,7 @@ elastic-agent install --fleet-server-es <string>
[--delay-enroll]
[--elastic-agent-cert <string>]
[--elastic-agent-cert-key <string>]
[--elastic-agent-cert-key-passphrase <string>]
[--fleet-server-cert <string>] <1>
[--fleet-server-cert-key <string>]
[--fleet-server-cert-key-passphrase <string>]
Expand Down Expand Up @@ -679,6 +689,12 @@ Certificate to use as the client certificate for the {agent}'s connections to {f
`--elastic-agent-cert-key`::
Private key to use as for the {agent}'s connections to {fleet-server}.

`--elastic-agent-cert-key-passphrase`::
The path to the file that contains the passphrase for the mutual TLS private key that {agent} will use to connect to {fleet-server}.
The file must only contain the characters of the passphrase, no newline or extra non-printing characters.
+
This option is only used if the `--elastic-agent-cert-key` is encrypted and requires a passphrase to use.

`--enrollment-token <string>`::
Enrollment token to use to enroll {agent} into {fleet}. You can use
the same enrollment token for multiple agents.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,8 @@ include::shared-env.asciidoc[tag=elastic-agent-cert]

include::shared-env.asciidoc[tag=elastic-agent-cert-key]

include::shared-env.asciidoc[tag=elastic-agent-cert-key-passphrase]

include::shared-env.asciidoc[tag=elastic-agent-tag]

include::shared-env.asciidoc[tag=fleet-enroll]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,18 @@ OPTIONAL INFO AND EXAMPLE

// end::elastic-agent-cert-key[]

// tag::elastic-agent-cert-key-passphrase[]
|
[id="env-{type}-elastic-agent-cert-key-passphrase"]
`ELASTIC_AGENT_CERT_KEY_PASSPHRASE`

| (string) The path to the file that contains the passphrase for the mutual TLS private key that {agent} will use to connect to {fleet-server}.
The file must only contain the characters of the passphrase, no newline or extra non-printing characters.

This option is only used if the `--elastic-agent-cert-key` is encrypted and requires a passphrase to use.

// end::elastic-agent-cert-key-passphrase[]

// =============================================================================

// tag::elastic-agent-tag[]
Expand Down
5 changes: 5 additions & 0 deletions docs/en/ingest-management/security/certificates.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -231,6 +231,7 @@ sudo ./elastic-agent install \
--fleet-server-port=8220 \
--elastic-agent-cert=/tmp/fleet-server.crt \
--elastic-agent-cert-key=/tmp/fleet-server.key \
--elastic-agent-cert-key-passphrase=/tmp/fleet-server/passphrase-file \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment thread seems to be gone, so just for reference I changed the ????? to passphrase-file for clarity.

--fleet-server-es-cert=/tmp/fleet-server.crt \
--fleet-server-es-cert-key=/tmp/fleet-server.key \
--fleet-server-client-auth=required
Expand Down Expand Up @@ -263,6 +264,10 @@ to the other {agents}
The certificate to use as the client certificate for {agent}'s connections to {fleet-server}.
`elastic-agent-cert-key`::
The path to the private key to use as for {agent}'s connections to {fleet-server}.
`elastic-agent-cert-key`::
The path to the file that contains the passphrase for the mutual TLS private key that {agent} will use to connect to {fleet-server}.
The file must only contain the characters of the passphrase, no newline or extra non-printing characters.
This option is only used if the `elastic-agent-cert-key` is encrypted and requires a passphrase to use.
`fleet-server-es-cert`::
The path to the client certificate that {fleet-server} will use when connecting to {es}.
`fleet-server-es-cert-key`::
Expand Down
9 changes: 9 additions & 0 deletions docs/en/ingest-management/security/mutual-tls.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,9 @@ During {agent} installation on premise use the following options:

|`--elastic-agent-cert-key`
|{agent} certificate key to present to {fleet-server}

|`--elastic-agent-cert-key-passphrase`
|The path to the file that contains the passphrase for the mutual TLS private key that {agent} will use to connect to {fleet-server}
|===

[discrete]
Expand Down Expand Up @@ -183,6 +186,9 @@ During {agent} installation on premise use the following options:

|`--elastic-agent-cert-key`
|{agent}'s private certificate key used to decrypt the certificate

|`--elastic-agent-cert-key-passphrase`
|The path to the file that contains the passphrase for the mutual TLS private key that {agent} will use to connect to {fleet-server}
|===

[discrete]
Expand Down Expand Up @@ -213,6 +219,9 @@ During {agent} installation on premise use the following options, similar to <<m

|`--elastic-agent-cert-key`
|{agent}'s private certificate key used to decrypt the certificate

|`--elastic-agent-cert-key-passphrase`
|The path to the file that contains the passphrase for the mutual TLS private key that {agent} will use to connect to {fleet-server}
|===

[discrete]
Expand Down
1 change: 1 addition & 0 deletions docs/en/ingest-management/security/tls-overview.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ elastic-agent install --url=https://your-fleet-server.elastic.co:443 \
--certificate-authorities=/path/to/fleet-ca,/path/to/agent-ca \
--elastic-agent-cert=/path/to/agent-cert \
--elastic-agent-cert-key=/path/to/agent-cert-key \
--elastic-agent-cert-key=/path/to/agent-cert-key-passphrase \
--fleet-server-es=https://es.elastic.com:443 \
--fleet-server-es-ca=/path/to/es-ca \
--fleet-server-es-cert=/path/to/fleet-es-cert \
Expand Down