Creating Certificate using Certutil


I've used this commands to generate CA and Cert:

bin/elasticsearch-certutil ca
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

But in logstash and beats a p12 is not supported and I MUST use

ssl.certificate_authorities: ["/etc/ca.crt"]
ssl.certificate: "/etc/client.crt"
ssl.key: "/etc/client.key"

So what is the command that I should use to generate:
1- ca.crt
2- client.crt
3- client.key

P.S: The CA and CERT are password protected

Please help.


You don't need

ssl.certificate: "/etc/client.crt"
ssl.key: "/etc/client.key"

unless you want to configure mutual TLS authentication between logstash and elasticsearch. If you just want to authenticate logstash to elasticsearch with a username and password and only need that logstash can verify the certificate of elasticsearch, keep only

ssl.certificate_authorities: ["/etc/ca.crt"]

You can get that from elastic-stack-ca.p12 with openssl as follows:

openssl pkcs12 -in elastic-stack-ca.p12 -clcerts -nokeys | sed '/-----BEGIN CERTIFICATE-----/,$!d'> ca.crt

Many thanks, Worked fine!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.