We have OpenSearch and OpenSearch Dashboards 2.19.1 running on a single node and everything is working great! Both sit behind a nginx reverse proxy and communication between nginx and OpenSearch is over TLS. We also have an admin certificate which we use to run the securityadmin.sh script with the arguments -cacert, -cert, and -key. The admin certificate and the TLS certificate for OpenSearch are issued by my company and they are the root CA, which works because this is all internal. As I said before, everything is working smoothly and as expected.
Recently, my company sent out an email saying that the “Client Authentication Extended Key Usage” will no longer be included in public TLS certificates and I’m trying to understand how this will impact my OpenSearch setup. It looks like this change is happening industry-wide ( Sunsetting the client authentication EKU from DigiCert public TLS certificates , Removal of the Client Authentication EKU from TLS Server Certificates – What You Need to Know - SSL.com ). From everything I mentioned about my setup, will this change affect us? We are thinking about establishing a cluster in the future. How will this change impact us then?
Looking at my two certificates, I can see that the Extended Key Usage lists both server and client:
$ openssl x509 -in certificate.crt -text -noout | grep -A1 “Extended Key Usage”
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Thanks in advance!