Add new node in ES cluster

Previously, I generated certificates for my ES nodes through the below command.

/usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in /tmp/instance.yml --out /root/new/

Now I want to add a new node by defining the previous CA certificate but it's not working.

/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca /root/new/ca/ca.crt --name node-04 --dns node-04 --ip

Here is the error log.

Exception in thread "main" toDerInputStream rejects tag type 45
at java.base/
at java.base/
at java.base/
at java.base/
at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readKeyStore(
at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readPkcs12KeyPairs(
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(
at org.elasticsearch.cli.MultiCommand.execute(
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(
at org.elasticsearch.cli.Command.main(

See our documentation:

--ca : Specifies the path to an existing CA key pair (in PKCS#12 format). This parameter cannot be used with the ca or csr parameters.

You, on the other hand, are passing in a certificate in PEM format, and the tool is throwing an error.

You need to pass --ca-cert /root/new/ca/ca.crt --ca-key /root/new/ca/ca.key in the command above

ca.key file was not generated earlier that's why I'm having difficulties to sign a new node from an existing CA. There is only ca.crt file in ca folder.

Apologies, I misread your original command

/usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in /tmp/instance.yml --out /root/new/

I guess you mean

/usr/share/elasticsearch/bin/elasticsearch-certutil cert --pem --in /tmp/instance.yml --out /root/new/

as you can't pass both ca and cert in the same invocation.

Unfortunately when you run cert and you don't specify the CA yourself, the tool generates one on the fly for you and does not keep the CA key around, unless you tell it to do so with --keep-ca-key.
In essence, you have no way to create new certificates that are signed by the same CA as the one that has signed the existing nodes' certificates as you are missing the CA key. You would need to recreate a CA and use that to sign new certificates for all your nodes and the one for your new node.

Thank you for your guidance.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.