Creating ES Node Certs Without CA Key?

Hello,

I was wondering if it was possible to create ES node certs using an existing CA without a CA key? The only thing I have found in the documentation is that you can only create ES node certs with existing CA if it has the CA key. Which is done by using the example command:

/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-cert <path/to/ca.crt> --ca-key <path/to/ca.key> --pem --in <path/to/file.yml> --out <path/to/file.zip>

The reason I ask is because our ES node TLS certs are expiring however our CA cert is still valid for another 2 years but does not seem to have a CA key.

If there is a way to achieve this without having to re-create a new CA cert inorder to just get a CA key, then can someone please assist?

Thanks.

I was wondering if it was possible to create ES node certs using an existing CA without a CA key?

This is not possible. The CA certificate is public, if it were possible than anyone on the internet could've created valid certs and join your cluster.