{agent} deployment models with mutual TLS

Mutual Transport Layer Security (mTLS) provides a higher level of security and trust compared to one-way TLS, where only the server presents a certificate. It ensures that not only the server is who it claims to be, but the client is also authenticated. This is particularly valuable in scenarios where both parties need to establish trust and validate each other’s identities, such as in secure API communication, web services, or remote authentication.

For a summary of flow by which TLS is established between components using either one-way or mutual TLS, refer to [tls-overview].

Overview
On-premise deployments
{fleet-server} on {ecloud}
{fleet-server} on {ecloud} using a proxy
{fleet-server} on-premise and Hosted Elasticsearch Service

Overview

With mutual TLS the following authentication and certification verification occurs:

Client Authentication: The client presents its digital certificate to the server during the TLS handshake. This certificate is issued by a trusted Certificate Authority (CA) and contains the client’s public key.
Server Authentication: The server also presents its digital certificate to the client, proving its identity and sharing its public key. The server’s certificate is also issued by a trusted CA.
Certificate Verification: Both the client and server verify each other’s certificates by checking the digital signatures against the CAs' public key (note that the client and server need not use the same CA).

{fleet}-managed {agent} has two main connections to ensure correct operations:

Connectivity to {fleet-server} (the control plane, to check in, download policies, and similar).
Connectivity to an Output (the data plane, such as {es} or {ls}).

In order to bootstrap, {agent} initially must establish a secure connection to the {fleet-server}, which can reside on-premises or in {ecloud}. This connectivity verification process ensures the agent’s authenticity. Once verified, the agent receives the policy configuration. This policy download equips the agent with the knowledge of the other components it needs to engage with. For instance, it gains insights into the output destinations it should write data to.

When mTLS is required, the secure setup between {agent}, {fleet}, and {fleet-server} is configured through the following steps:

mTLS is enabled.
The initial mTLS connection between {agent} and {fleet-server} is configured when {agent} is enrolled, using the parameters passed through the elastic-agent install or elastic-agent enroll command.
Once enrollment has completed, {agent} downloads the initial {agent} policy from {fleet-server}.
1. If the {agent} policy contains mTLS configuration settings, those settings will take precedence over those used during enrollment: This includes both the mTLS settings used for connectivity between {agent} and {fleet-server} (and the {fleet} application in {kib}, for {fleet}-managed {agent}), and the settings used between {agent} and it’s specified output.
2. If the {agent} policy does not contain any TLS, mTLS, or proxy configuration settings, these settings will remain as they were specified when {agent} enrolled. Note that the initial TLS, mTLS, or proxy configuration settings can not be removed through the {agent} policy; they can only be updated.

Important

When you run {agent} with the {elastic-defend} integration, the TLS certificates used to connect to {fleet-server} and {es} need to be generated using RSA. For a full list of available algorithms to use when configuring TLS or mTLS, see Configure SSL/TLS for standalone {agents}. These settings are available for both standalone and {fleet}-managed {agent}.

On-premise deployments

Diagram of mutual TLS on premise deployment model

Refer to the steps in Configure SSL/TLS for self-managed {fleet-server}s. To configure mutual TLS, include the following additional parameters when you install {agent} and {fleet-server}.

{agent} settings

During {agent} installation on premise use the following options:

`--certificate-authorities`	List of CA certificates that are trusted when {fleet-server} connects to {agent}
`--elastic-agent-cert`	{agent} certificate to present to {fleet-server} during authentication
`--elastic-agent-cert-key`	{agent} certificate key to present to {fleet-server}
`--elastic-agent-cert-key-passphrase`	The path to the file that contains the passphrase for the mutual TLS private key that {agent} will use to connect to {fleet-server}

{fleet-server} settings

During {fleet-server} installation on-premise {fleet-server} authenticates with {es} and {agents}. You can use the following CLI options to facilitate these secure connections:

`--fleet-server-es-ca`	CA to use for the {es} connection
`--fleet-server-es-cert`	{fleet-server} certificate to present to {es}
`--fleet-server-es-cert-key`	{fleet-server} certificate key to present to {es}
`--certificate-authorities`	List of CA certificates that are trusted when {agent} connects to {fleet-server} and when {fleet-server} validates the {agent} identity.
`--fleet-server-cert`	{fleet-server} certificate to present to {agents} during authentication
`--fleet-server-cert-key`	{fleet-server}'s private certificate key used to decrypt the certificate

{fleet} settings:

In {kib}, navigate to {fleet}, open the Settings tab, and choose the Output that you’d like to configure. In the Advanced YAML configuration, add the following settings:

ssl.certificate_authorities

List of CA certificates that are trusted when {fleet-server} connects to {agent}

ssl.certificate

This certificate will be passed down to all the agents that have this output configured in their policy. This certificate is used by the agent when establishing mTLS to the output.

You may either apply the full certificate, in which case all the agents get the same certificate OR alternatively point to a local directory on the agent where the certificate resides, if the certificates are to be unique per agent.

ssl.key

This certificate key will be passed down to all the agents that have this output configured in their policy. The certificate key is used to decrypt the SSL certificate.

Important

Note the following when you specify these SSL settings:

The certificate authority, certificate, and certificate key need to be specified as a path to a local file. You cannot specify a directory.
You can define multiple CAs or paths to CAs.
Only one certificate and certificate key can be defined.

In the Advanced YAML configuration these settings should be added in the following format:

ssl.certificate_authorities:
  - /path/to/ca
ssl.certificate: /path/to/cert
ssl.key: /path/to/cert_key

OR

ssl.certificate_authorities:
  - /path/to/ca
ssl.certificate: /path/to/cert
ssl.key: /path/to/cert_key

Screen capture of output advanced yaml settings

{fleet-server} on {ecloud}

In this deployment model, all traffic ingress into {ecloud} has its TLS connection terminated at the {ecloud} boundary. Since this termination is not handled on a per-tenant basis, a client-specific certificate can NOT be used at this point.

Diagram of mutual TLS on cloud deployment model

We currently don’t support mTLS in this deployment model. An alternate deployment model is shown below where you can deploy your own secure proxy where TLS connections are terminated.