Client certificate authentication

Client certificate authentication offers more security advantages than just using basic authentication (username and password). Because client certificate authentication requires both a client certificate and its private key, which are often in the user’s possession, it is less vulnerable to brute force attacks in which malicious individuals try to guess a user’s password.

Another benefit of client certificate authentication is you can use it along with basic authentication, providing two layers of security.

To enable client certificate authentication, you must first set in opensearch.yml to either OPTIONAL or :

You can now assign your certificate’s common name (CN) to a role. For this step, you must know your certificate’s CN and the role you want to assign to. To get a list of all predefined roles in OpenSearch, refer to our list of predefined roles. If you want to first create a role, refer to , and then map your certificate’s CN to that role.

After deciding which role you want to map your certificate’s CN to, you can use OpenSearch Dashboards, , or the REST API to map your certificate’s CN to the role. The following example uses the to map the common name CLIENT1 to the role readall.

Sample request

After mapping a role to your client certificate’s CN, you’re ready to connect to your cluster using those credentials.

The code example below uses the Python library to connect to a local OpenSearch cluster and sends a GET request to the movies index.

While we recommend using the installation of ODFE to test client certificate authentication configurations, you can also use any of the other install types. For instructions on using Docker, for example, see Docker security configuration.