Cannot load PEM certificate_authorities

Hi
I have generated a couple of cert under my instance list followed by

so at least
my config looks like below

    container_name: es_master_1_1
    environment:
      - node.name=es_master_1_1
      - xpack.ml.enabled=false
      - xpack.security.enabled=true
      - xpack.security.http.ssl.enabled=true
      - xpack.security.http.ssl.key=certs/es_master_1_1/es_master_1_1.p12
      - xpack.security.http.ssl.certificate_authorities=certs/es_master_1_1/es_master_1_1.p12
      - xpack.security.http.ssl.certificate=certs/es_master_1_1/es_master_1_1.p12
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.verification_mode=certificate
      - xpack.license.self_generated.type=basic
      - xpack.security.transport.ssl.certificate_authorities=certs/es_master_1_1/es_master_1_1.p12
      - xpack.security.transport.ssl.certificate=certs/es_master_1_1/es_master_1_1.p12
      - xpack.security.transport.ssl.key=certs/es_master_1_1/es_master_1_1.p12

what is wrong??? all steps I've made i think correctly

 [xpack.security.transport.ssl] - cannot load PEM certificate_authorities from [/usr/share/elasticsearch/config/certs/elastic-certificates.p12] due to CertificateParsingException (signed fields invalid)","error.stack_trace":"org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl] - cannot load PEM certificate_authorities from [/usr/share/elasticsearch/config/certs/elastic-certificates.p12] due to CertificateParsingException (signed fields invalid)\n\tat org.elasticsearch.xcore@8.14.1/org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:620)\n\tat java.base/java.util.HashMap.forEach(HashMap.java:1429)\n\tat java.base/java.util.Collections$UnmodifiableMap.forEach(Collections.java:1708)\n\tat org.elasticsearch.xcore@8.14.1/org.elasticsearch.xpack.core.ssl.SSLService.loadSslConfigurations(SSLService.java:616)\n\tat org.elasticsearch.xcore@8.14.1/org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:160)\n\tat org.elasticsearch.xcore@8.14.1/org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:494)\n\tat org.elasticsearch.xcore@8.14.1/org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:323)\n\tat org.elasticsearch.server@8.14.1/org.elasticsearch.node.NodeConstruction.

Added elastic-stack-security

also I have added these option:

      - xpack.security.transport.ssl.truststore.type=PKCS12
      - xpack.security.transport.ssl.keystore.type=PKCS12

but it didn't help there

You're mixing up PEM (typical extensions .pem, .crt, .key) and PKCS#12 (typical extension .p12) formats.

PKCS#12 is a keystore format - it contains multiple entries, and each entry can have both a key and a certificate.
When using a keystore you only to provide a single file to Elasticsearch (via keystore.path or truststore.path) and Elasticsearch has everything it needs to configure keys or trust anchors.

PEM is (with a few exceptions) a single-object file format. Each file contains a single cryptographic object, such as a key or a certificate. That means when configuring Elasticsearch you need to provide multiple files (.key, .certificate, etc)

Here

      - xpack.security.http.ssl.key=certs/es_master_1_1/es_master_1_1.p12
      - xpack.security.http.ssl.certificate_authorities=certs/es_master_1_1/es_master_1_1.p12
      - xpack.security.http.ssl.certificate=certs/es_master_1_1/es_master_1_1.p12

You have PKCS#12 files, but you've told Elasticsearch that it's a PEM file (but using the .key, .certificate_authorities and .certificate settings)

What you probably want is:

      - xpack.security.http.ssl.keystore.path=certs/es_master_1_1/es_master_1_1.p12
      - xpack.security.http.ssl.truststore.path=certs/es_master_1_1/es_master_1_1.p12