How to secure Kibana with TLS and authentication

Enabling TLS on Kibana protects login credentials and session cookies from being intercepted, and prevents the web UI from being modified in transit. It also removes the common “http on port 5601” foot-gun that leaks authentication traffic on otherwise trusted networks.

Kibana serves the web UI over HTTPS by loading a PEM-encoded server certificate (.crt) and private key (.key) and presenting them on port 5601. Authentication and authorization for the UI are provided by Elasticsearch security, while Kibana itself authenticates to Elasticsearch using a dedicated account such as kibana_system.

On typical Linux package installs, TLS and Elasticsearch connection settings live in /etc/kibana/kibana.yml and changes require a service restart to apply. The private key must be readable by the account running the kibana service, and a wrong file path, unreadable key, or invalid YAML can prevent Kibana from starting.

Steps to secure Kibana with TLS and authentication:

Create a directory for TLS assets with permissions suitable for the kibana service account.
```
$ sudo install -o root -g kibana -m 750 -d /etc/kibana/certs
```

Install the CA certificate used to validate the Kibana server certificate.

$ sudo install -o root -g kibana -m 644 /tmp/kibana-ca.crt /etc/kibana/certs/kibana-ca.crt

Install the Kibana server certificate.

$ sudo install -o root -g kibana -m 644 /tmp/kibana.crt /etc/kibana/certs/kibana.crt

Install the Kibana server private key with restricted access.
```
$ sudo install -o root -g kibana -m 640 /tmp/kibana.key /etc/kibana/certs/kibana.key
```
Exposing the private key enables impersonation of the Kibana HTTPS endpoint and defeats transport security.

Verify ownership and permissions of the TLS files.

$ sudo ls -l /etc/kibana/certs
total 12
-rw-r--r-- 1 root kibana 1246 Jan  5 10:12 kibana-ca.crt
-rw-r--r-- 1 root kibana 1684 Jan  5 10:12 kibana.crt
-rw-r----- 1 root kibana 1704 Jan  5 10:12 kibana.key

Group-readable private keys rely on the kibana group membership and the directory mode 750.

Configure TLS and Elasticsearch credentials in /etc/kibana/kibana.yml.

Storing elasticsearch.password in plain text makes /etc/kibana/kibana.yml a secret-bearing file.

server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/kibana.crt
server.ssl.key: /etc/kibana/certs/kibana.key

elasticsearch.username: "kibana_system"
elasticsearch.password: "replace-with-kibana-system-password"

Restart the Kibana service.
```
$ sudo systemctl restart kibana
```
If the service fails to start, inspect logs with journalctl -u kibana.

Related: How to manage the Kibana service with systemctl in Linux

Confirm the Kibana service is running.

$ sudo systemctl status kibana --no-pager
● kibana.service - Kibana
     Loaded: loaded (/lib/systemd/system/kibana.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2026-01-05 10:15:01 UTC; 8s ago
##### snipped #####

Verify HTTPS access using the CA certificate.

$ curl --silent --show-error --cacert /etc/kibana/certs/kibana-ca.crt https://localhost:5601/login
&lt;!DOCTYPE html&gt;
&lt;html lang="en"&gt;
&lt;head&gt;
  &lt;meta charset="utf-8"&gt;
##### snipped #####

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.