Auto-configuration of ssl certificate

Elastic Stack Elasticsearch
1

I dont find the CA private key of the transport layer that has been generated by Elasticsearch at first start.
I can find the CA private key of the http layer its in the generated http.p12 file, I would expect the similar private key in transport.p12, but its not there:

root@elk-test:/#  openssl pkcs12 -info -in /etc/elasticsearch/certs/http.p12 | grep "Bag\|bag\|friendlyName\|subject\|issuer\|---"
Enter Import Password:
MAC: sha256, Iteration 10000
MAC length: 32, salt length: 20
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
Bag Attributes
    friendlyName: http_ca
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
    friendlyName: http
-----BEGIN ENCRYPTED PRIVATE KEY-----
Certificate bag
Certificate bag
Certificate bag
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
    friendlyName: http_ca
subject=CN = Elasticsearch security auto-configuration HTTP CA
issuer=CN = Elasticsearch security auto-configuration HTTP CA
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Bag Attributes
    friendlyName: http
subject=CN = elk-test
issuer=CN = Elasticsearch security auto-configuration HTTP CA
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Bag Attributes
    friendlyName: CN=Elasticsearch security auto-configuration HTTP CA
subject=CN = Elasticsearch security auto-configuration HTTP CA
issuer=CN = Elasticsearch security auto-configuration HTTP CA
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
type or paste code here

in transport.p12 the private key for CA is missing:

root@elk-test:/# openssl pkcs12 -info -in /etc/elasticsearch/certs/transport.p12 | grep "Bag\|bag\|friendlyName\|subject\|issuer\|---"
Enter Import Password:
MAC: sha256, Iteration 10000
MAC length: 32, salt length: 20
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
Certificate bag
Certificate bag
Bag Attributes
    friendlyName: transport
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
    friendlyName: transport
subject=CN = elk-test
issuer=CN = Elasticsearch security auto-configuration HTTP CA
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Bag Attributes
    friendlyName: transport_ca
subject=CN = Elasticsearch security auto-configuration HTTP CA
issuer=CN = Elasticsearch security auto-configuration HTTP CA
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

Is it a bug or the transport layer CA has its private key somewhere else?

2

The private key is not available somewhere, you are right, we discard it. This is not a bug per se, but more of a design decision.

The auto-configuration process generates a key/certificate pair for the transport layer that is shared between all nodes. If you want to add new nodes to the cluster, you can use the enrollment process by generating a new enrollment token and using that to start a new node, and the new node will use the same transport key/certificate. As such there was no need to keep the CA key around, as there was no use case for signing new certificates for new nodes with it.

If the above doesn't satisfy your use case you probably want to start from scratch setting up TLS as we describe in Manually configure security | Elasticsearch Guide [8.1] | Elastic as you cannot use the existing CA to generate new keypairs and sign the new certificates for transport layer with this

Hope this helps.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.