Unfortunately you can't create a PKCS12 store without setting a password, you can only set an empty password, see the documentation for --pass parameter in elasticsearch-certutil | Elasticsearch Guide [8.11] | Elastic.
Possible solution 1
[Editing this to keep everything in place for future reference]
As @TimV mentioned in the post below correcting me:
Possible solution 2
As @crickes mentioned, you can either use the equivalent secure settings:
xpack.security.transport.ssl.keystore.secure_password:
xpack.security.transport.ssl.truststore.secure_password:
that need to be set in the secure settings
To be precise, these have not been changed but password has been deprecated in favor of secure_password.
Possible solution 3
If you can't/don't want to use secure settings, then you alternatively use elasticsearch-certutil to create a PEM formatted key and certificate that do not need to be password protected, using the --pem parameter
i.e.
bin/elasticsearch-certutil cert --silent --pem -out elastic-certificates-pem.zip
and unzipping this you will get 3 files
- ca/ca.crt
- instance/instance.crt
- instance/instance.key
Then you can configure your nodes with
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: instance.key
xpack.security.transport.ssl.certificate:instance.crt
xpack.security.transport.ssl.certificate_authorities: [ "ca.crt" ]