---
title: Elasticsearch client certificate authentication on ECK
description: For how ECK secures HTTP traffic and manages TLS certificates, see Manage TLS certificates on ECK. You can configure Elasticsearch to require client certificates...
url: https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/deploy-manage/security/k8s-es-client-certificate-auth
products:
- Elastic Cloud on Kubernetes
applies_to:
- Elastic Cloud on Kubernetes: Planned
---
# Elasticsearch client certificate authentication on ECK
For how ECK secures HTTP traffic and manages TLS certificates, see [Manage TLS certificates on ECK](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/deploy-manage/security/eck-tls).
You can configure Elasticsearch to require client certificates for HTTP authentication, enabling mutual TLS (mTLS) between clients and Elasticsearch. When enabled, clients must present a valid certificate signed by a trusted CA to communicate with Elasticsearch.
Currently, the only supported client is Kibana. Other workloads that connect to Elasticsearch over HTTP are not configured automatically; they must present a certificate trusted by Elasticsearch (for example by adding a client certificate Secret that ECK aggregates into the trust bundle), or the connection is rejected.
This requires a valid Enterprise license or Enterprise trial license. Check [the license documentation](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6201/deploy-manage/license/manage-your-license-in-eck) for more details about managing licenses.
## Enable client certificate authentication
To enable client certificate authentication on Elasticsearch, set `spec.http.tls.client.authentication` to `true`:
```yaml
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
name: quickstart
spec:
version: 9.4.0
nodeSets:
- name: default
count: 3
http:
tls:
client:
authentication: true
```
When client authentication is enabled, ECK does the following:
- Sets `xpack.security.http.ssl.client_authentication: required` in the Elasticsearch configuration.
- Generates and manages a client certificate for the ECK operator so it can continue communicating with Elasticsearch.
- Generates a client certificate for Kibana and configures it to present that certificate when connecting to Elasticsearch.
- Aggregates client certificates from Kubernetes secrets labeled with `eck.k8s.elastic.co/client-certificate: true` into a trust bundle mounted into Elasticsearch pods. The corresponding Elasticsearch cluster soft-owner labels are also included in this bundle.
## Use a custom client certificate for Kibana
When Elasticsearch requires client authentication, ECK automatically generates a client certificate for Kibana and configures it to present that certificate when connecting to Elasticsearch. No additional configuration is needed.
To use your own client certificate instead of the one generated by ECK, reference a Kubernetes secret containing the certificate and key in the `elasticsearchRef`:
```yaml
apiVersion: kibana.k8s.elastic.co/v1
kind: Kibana
metadata:
name: quickstart
spec:
version: 9.4.0
count: 1
elasticsearchRef:
name: quickstart
clientCertificateSecretName: my-custom-client-cert
```
The referenced secret must contain `tls.crt` and `tls.key` entries:
```yaml
apiVersion: v1
kind: Secret
metadata:
name: my-custom-client-cert
type: kubernetes.io/tls
data:
tls.crt:
tls.key:
```
The `clientCertificateSecretName` field can only be used with a named `elasticsearchRef` (not with `secretName`).
## Disable client certificate authentication
To turn off client certificate authentication, set the field to `false` or remove it:
```yaml
http:
tls:
client:
authentication: false
```
ECK handles the transition gracefully, deferring cleanup of mTLS resources until all pods have rolled over to ensure connectivity is maintained throughout the configuration change.