[event-handler] Add an Issuer DN to generated X.509 certs

Question

[event-handler] Add an Issuer DN to generated X.509 certs

ptgott opened this issue 2 years ago · 6 comments

The X.509 parsing package in the Java standard library (sun.security.x509) requires that X.509 certs include an Issuer DN field. Currently, the event-handler plugin issues certificates without this field. This means that the event-handler plugin cannot establish a TLS handshake with log collection tools that use Java's sun.security.x509 package, such as Logstash. We should add an Issuer DN to these certificates so we can expand the range of log management tools that Teleport users can integrate the event-handler plugin with.

Answer 1 · 2022-08-26T22:06:24.000Z

Hi @EdwardDowling, just checking whether there are any unexpected blockers here. If so, I can plan to document using the Fluentd exporter with the ELK stack and Fluentd (which would become the EFK stack), rather than the canonical ELK stack as originally planned. Thanks!

Answer 2 · 2022-08-29T16:12:19.000Z

Sorry for the delay, I've made a PR for adding the issuer DN field. If we want to add options for the user to configure the fields I could add them to this PR.

Answer 3 · 2022-08-29T20:05:21.000Z

This looks good, thanks!

Answer 4 · 2022-08-31T15:37:31.000Z

@ptgott Do you have an environment set up by chance where we can validate that the fix Edward made in this PR fixes the issue?

Answer 5 · 2022-08-31T15:52:52.000Z

@r0mant I am writing/testing a guide to using the event handler with the Elastic Stack this week. I'll use an event handler build from this branch and post here when I've validated that this works.

Answer 6 · 2022-08-31T18:10:42.000Z

I ran into an issue with this, documented here: #640 (comment)