Cannot redirect to Kibana when using mixed certificates

It was the time to shift the build from dev to production and now I am facing this weird issue. Yes, I am the one who opened this question back then.
The problem is that, now, we have a domain for the Keycloak instance (say but for the Kibana, we are still using self signed certificate using openssl. Maybe there is something I am missing but with this setup, Keycloak doesn’t find Kibana redirects.

The command I used to generate the root-ca:

# Root CA
openssl genrsa -out root-ca-key.pem 4096
openssl req -days 3652 -new -x509 -sha256 -key root-ca-key.pem -out root-ca.pem -subj "/C=US/L=Texas/O=Somewhere/OU=Something/"

My config.yml entry:


My kibana.yml entry:

opendistro_security.openid.connect_url: ""

Note: I checked the certs generated from Let’s Encrypt and the CN contains “”.
Thanks in advance.

Hi @godhelpus

When you say Kibana certificate, you mean certificate configured in server.ssl.certificate? If so, it’s completely fine to use self-signed there.



in kibana.yml and


in config.yml must refer to the same keycloack’s certificate or keycloack’s root CA.
Also, be sure that keycloak’s certificate has FQDN in SAN.

Hi @pablo
I did exactly what you mentioned in the config.yml and kibana.yml file and it’s working fine now. Thank you very much.

If I had 2 different certs for Keycloak and Kibana, (say “” and “” respectively), what shall be the configurations?
My current config looks like this:

Kibana.yml IP_ADDRESS # change this in production
server.port: PORT
elasticsearch.ssl.verificationMode: none
elasticsearch.username: kibanaserver
elasticsearch.password: PASSWORD # change this in production
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opendistro_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/usr/share/kibana/config/kibana-key.pem" #self signed
server.ssl.certificate: "/usr/share/kibana/config/kibana.pem" #self signed
elasticsearch.ssl.certificateAuthorities: ["/usr/share/kibana/config/root-ca.pem"] #self signed
opendistro_security.openid.root_ca: "/usr/share/kibana/config/leca.pem" #Let's Encrypt CA

opendistro_security.auth.type: "openid"
opendistro_security.openid.connect_url: "" # change this in production
opendistro_security.openid.client_id: "kibana_client" # change this in production
opendistro_security.openid.client_secret: "SECRET" # change this in production

opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.enable_global: true
opendistro_security.multitenancy.tenants.enable_private: true
opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
opendistro_security.multitenancy.enable_filter: false

My config.yml

        order: 1
        http_enabled: true
        transport_enabled: true
          type: openid
          challenge: false
            openid_connect_url: # change this in production
            subject_key: "preferred_username"
            roles_key: "roles"
            openid_connect_idp.pemtrustedcas_filepath: "/usr/share/elasticsearch/config/leca.pem" #Let's Encrypt CA
            openid_connect_idp.enable_ssl: true
            openid_connect_idp.verify_hostnames: false
          type: noop

Thanks in advance.

Also, do you recommend to keep Keycloak and Kibana on the same instance (either on the same cluster or on same physical/logical node) or on different instance (on a different cluster)?


Regarding Keycloak and Kibana placement, for the production environment, it is always better to separate and create redundancy.

Regarding the certs, your config is correct. Both Kibana and ES security plug-in can successfully verify Keycloak’s certificate against the defined Root CA certificate.

When you have two certs Keycloak ( and Kibana (, Kibana cert must be defined in


if you decide to enable SSL for Kibana Web Client. Keycloack certificate, as I mentioned before, must be configured in kibana.yml