diff --git a/docs/en/ingest-management/commands.asciidoc b/docs/en/ingest-management/commands.asciidoc index 482c549ab..fe4486d32 100644 --- a/docs/en/ingest-management/commands.asciidoc +++ b/docs/en/ingest-management/commands.asciidoc @@ -164,6 +164,7 @@ elastic-agent enroll --url [--delay-enroll] [--elastic-agent-cert ] [--elastic-agent-cert-key ] + [--elastic-agent-cert-key-passphrase ] [--force] [--header ] [--help] @@ -191,6 +192,7 @@ elastic-agent enroll --fleet-server-es [--delay-enroll] [--elastic-agent-cert ] [--elastic-agent-cert-key ] + [--elastic-agent-cert-key-passphrase ] [--fleet-server-cert ] <1> [--fleet-server-cert-key ] [--fleet-server-cert-key-passphrase ] @@ -251,6 +253,12 @@ Certificate to use as the client certificate for the {agent}'s connections to {f `--elastic-agent-cert-key`:: Private key to use as for the {agent}'s connections to {fleet-server}. +`--elastic-agent-cert-key-passphrase`:: +The path to the file that contains the passphrase for the mutual TLS private key that {agent} will use to connect to {fleet-server}. +The file must only contain the characters of the passphrase, no newline or extra non-printing characters. ++ +This option is only used if the `--elastic-agent-cert-key` is encrypted and requires a passphrase to use. + `--enrollment-token `:: Enrollment token to use to enroll {agent} into {fleet}. You can use the same enrollment token for multiple agents. @@ -580,6 +588,7 @@ elastic-agent install --url [--delay-enroll] [--elastic-agent-cert ] [--elastic-agent-cert-key ] + [--elastic-agent-cert-key-passphrase ] [--force] [--header ] [--help] @@ -611,6 +620,7 @@ elastic-agent install --fleet-server-es [--delay-enroll] [--elastic-agent-cert ] [--elastic-agent-cert-key ] + [--elastic-agent-cert-key-passphrase ] [--fleet-server-cert ] <1> [--fleet-server-cert-key ] [--fleet-server-cert-key-passphrase ] @@ -679,6 +689,12 @@ Certificate to use as the client certificate for the {agent}'s connections to {f `--elastic-agent-cert-key`:: Private key to use as for the {agent}'s connections to {fleet-server}. +`--elastic-agent-cert-key-passphrase`:: +The path to the file that contains the passphrase for the mutual TLS private key that {agent} will use to connect to {fleet-server}. +The file must only contain the characters of the passphrase, no newline or extra non-printing characters. ++ +This option is only used if the `--elastic-agent-cert-key` is encrypted and requires a passphrase to use. + `--enrollment-token `:: Enrollment token to use to enroll {agent} into {fleet}. You can use the same enrollment token for multiple agents. diff --git a/docs/en/ingest-management/elastic-agent/configuration/env/container-envs.asciidoc b/docs/en/ingest-management/elastic-agent/configuration/env/container-envs.asciidoc index e2275bc60..3aa5a0d07 100644 --- a/docs/en/ingest-management/elastic-agent/configuration/env/container-envs.asciidoc +++ b/docs/en/ingest-management/elastic-agent/configuration/env/container-envs.asciidoc @@ -149,6 +149,8 @@ include::shared-env.asciidoc[tag=elastic-agent-cert] include::shared-env.asciidoc[tag=elastic-agent-cert-key] +include::shared-env.asciidoc[tag=elastic-agent-cert-key-passphrase] + include::shared-env.asciidoc[tag=elastic-agent-tag] include::shared-env.asciidoc[tag=fleet-enroll] diff --git a/docs/en/ingest-management/elastic-agent/configuration/env/shared-env.asciidoc b/docs/en/ingest-management/elastic-agent/configuration/env/shared-env.asciidoc index 71cfd7bf8..b12c947c1 100644 --- a/docs/en/ingest-management/elastic-agent/configuration/env/shared-env.asciidoc +++ b/docs/en/ingest-management/elastic-agent/configuration/env/shared-env.asciidoc @@ -37,6 +37,18 @@ OPTIONAL INFO AND EXAMPLE // end::elastic-agent-cert-key[] +// tag::elastic-agent-cert-key-passphrase[] +| +[id="env-{type}-elastic-agent-cert-key-passphrase"] +`ELASTIC_AGENT_CERT_KEY_PASSPHRASE` + +| (string) The path to the file that contains the passphrase for the mutual TLS private key that {agent} will use to connect to {fleet-server}. +The file must only contain the characters of the passphrase, no newline or extra non-printing characters. + +This option is only used if the `--elastic-agent-cert-key` is encrypted and requires a passphrase to use. + +// end::elastic-agent-cert-key-passphrase[] + // ============================================================================= // tag::elastic-agent-tag[] diff --git a/docs/en/ingest-management/security/certificates.asciidoc b/docs/en/ingest-management/security/certificates.asciidoc index 60a031262..56dde3b56 100644 --- a/docs/en/ingest-management/security/certificates.asciidoc +++ b/docs/en/ingest-management/security/certificates.asciidoc @@ -231,6 +231,7 @@ sudo ./elastic-agent install \ --fleet-server-port=8220 \ --elastic-agent-cert=/tmp/fleet-server.crt \ --elastic-agent-cert-key=/tmp/fleet-server.key \ + --elastic-agent-cert-key-passphrase=/tmp/fleet-server/passphrase-file \ --fleet-server-es-cert=/tmp/fleet-server.crt \ --fleet-server-es-cert-key=/tmp/fleet-server.key \ --fleet-server-client-auth=required @@ -263,6 +264,10 @@ to the other {agents} The certificate to use as the client certificate for {agent}'s connections to {fleet-server}. `elastic-agent-cert-key`:: The path to the private key to use as for {agent}'s connections to {fleet-server}. +`elastic-agent-cert-key`:: +The path to the file that contains the passphrase for the mutual TLS private key that {agent} will use to connect to {fleet-server}. +The file must only contain the characters of the passphrase, no newline or extra non-printing characters. +This option is only used if the `elastic-agent-cert-key` is encrypted and requires a passphrase to use. `fleet-server-es-cert`:: The path to the client certificate that {fleet-server} will use when connecting to {es}. `fleet-server-es-cert-key`:: diff --git a/docs/en/ingest-management/security/mutual-tls.asciidoc b/docs/en/ingest-management/security/mutual-tls.asciidoc index e757b69c5..acd276a5a 100644 --- a/docs/en/ingest-management/security/mutual-tls.asciidoc +++ b/docs/en/ingest-management/security/mutual-tls.asciidoc @@ -72,6 +72,9 @@ During {agent} installation on premise use the following options: |`--elastic-agent-cert-key` |{agent} certificate key to present to {fleet-server} + +|`--elastic-agent-cert-key-passphrase` +|The path to the file that contains the passphrase for the mutual TLS private key that {agent} will use to connect to {fleet-server} |=== [discrete] @@ -183,6 +186,9 @@ During {agent} installation on premise use the following options: |`--elastic-agent-cert-key` |{agent}'s private certificate key used to decrypt the certificate + +|`--elastic-agent-cert-key-passphrase` +|The path to the file that contains the passphrase for the mutual TLS private key that {agent} will use to connect to {fleet-server} |=== [discrete] @@ -213,6 +219,9 @@ During {agent} installation on premise use the following options, similar to <