Certutil does not produce keystore with 3 files but only 2

mpetronic · January 15, 2018, 6:14pm

Trying to setup and secure a new cluster for first time with x-pack. Running 6.1.1 all around.

I generated my own ca.crt and ca.key using:

/usr/share/elasticsearch/bin/x-pack/certutil ca --ca-dn CN=Quasar --days 3650 -out ca.zip -v -pem

Then ran this to create my server certs and private keys:

/usr/share/elasticsearch/bin/x-pack/certutil cert --silent --in /tmp/cert_map.yaml --out /tmp/certs.zip --ca-cert ca/ca.crt --ca-key ca/ca.key

With yaml file contents:

instances:
- {dns: esdata1-01.shared.quasar.nadops.net, name: esdata1-01.shared.quasar.nadops.net}
- {dns: esdata1-02.shared.quasar.nadops.net, name: esdata1-02.shared.quasar.nadops.net}
- {dns: esmaster1-01.shared.quasar.nadops.net, name: esmaster1-01.shared.quasar.nadops.net}
- {dns: esmaster1-02.shared.quasar.nadops.net, name: esmaster1-02.shared.quasar.nadops.net}
- {dns: esmaster1-03.shared.quasar.nadops.net, name: esmaster1-03.shared.quasar.nadops.net}

The docs say:

This command generates a compressed test1.zip file. After you decompress the output file, there is a directory for each instance that was listed in the instances.yml file. Each instance directory contains a single PKCS#12 (.p12) file, which contains the instance certificate, instance private key, and CA certificate.

Which indicates there should be 3 files inside the keystore but there are only 2 files - the ca and my server private key but no server certificate:

[root@vmwdnaelastic01 tmp]# keytool -list -keystore ./esmaster1-02.shared.quasar.nadops.net/esmaster1-02.shared.quasar.nadops.net.p12
Enter keystore password:  

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

esmaster1-02.shared.quasar.nadops.net, Jan 15, 2018, PrivateKeyEntry, 
Certificate fingerprint (SHA1): 42:E2:33:CF:4C:5A:D4:CF:6F:06:0C:D1:12:37:DE:88:2E:08:3D:F1
ca, Jan 15, 2018, trustedCertEntry, 
Certificate fingerprint (SHA1): 2A:C1:2A:A4:7B:3B:95:C1:ED:EF:3E:8E:F2:ED:76:E5:2C:CB:D3:23

Anyone with any idea as to why this is not working as advertised?

What I want to do is be able to generate one keystore per node, each with a unique server certificate named after the host name the node is running on. Per the docs, this keystore will have all that is needed - the server certificate and private key so that it can response to clients and the CA certificate so that it can validate any server certificate. Seems like a clean way to deploy but where is my server key?

Senor · January 15, 2018, 8:34pm

Since you are explicitly setting the CA that you generated with the --ca-cert and --ca-key switches, certutil will not generate a PKCS#12 file that contains the CA. You are inherently signing the certificates with the CA that you generated.

All certificates that are generated by this command are signed by a CA. You can provide your own CA with the --ca or --ca-cert parameters. Otherwise, the command automatically generates a new CA for you.

Further information can be had within certutil itself:

By default the 'cert' mode produces a single PKCS#12 output file which holds:
	* The instance certificate
	* The private key for the instance certificate
	* The CA certificate

I believe the following will create what you are seeking:

$ bin/x-pack/certutil  cert --ca-dn <name> --ca-pass <password> --days <n> --dns <domain_name> --ip <IP_addresses> --keep-ca-key --keysize 4096 --name <file_name> --out <file_path> --pass <password>

TimV · January 15, 2018, 11:58pm

This is a quirk in keytool and the way it distiguishes between private entries and trusted entries.

The CA certificate is a trustedCertEntry with a single object (the X.509 certificate)

The server key-pair (cert + key) is treated as a single PrivateKeyEntry that has 2 objects in it (the X.509 Certificate and the RSA private key), but keytool doesn't make that very clear.
It's a little bit better if you pass the -v (verbose) option, but it can still be hard to follow.

If you have access to openssl you can run:

openssl pkcs12 -nodes -in ./esmaster1-02.shared.quasar.nadops.net/esmaster1-02.shared.quasar.nadops.net.p12

And that should show you all 3 objects

mpetronic · January 17, 2018, 3:12pm

Thanks, Tim. I did a crash course in all the file formats and such and came to the same understanding. The SSL cert and private key have to be converted into single PKCS12 formatted file and then that ONE file can be imported into a keystore via keytool. The right command, as you indicated, does indeed show all three.

system · February 14, 2018, 3:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.