Creating http.p12,tranport.p12 from a signed CSR for Elasticsearch

After getting the CSR signed, how do I create the http.p12 and transport.p12 needed for Elasticsearch

xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/http.p12

xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12

Set up basic security for the Elastic Stack plus secured HTTPS traffic | Elasticsearch Guide [8.5] | Elastic

Sign certificates with a central CAedit

If you work in an environment with a central security team, they can likely generate a certificate for you. Infrastructure within your organization might already be configured to trust an existing CA, so it may be easier for clients to connect to Elasticsearch if you use a CSR and send that request to the team that controls your CA. To use a central CA, answer y to the first question.

The documentation you linked is for configuring TLS for the HTTP interface, i.e. it is for settings begin with xpack.security.http.ssl.XXX. You probably want to re-evaluate whether you want to apply the same certs/keys for the transport interface.

You can generate the p12 file from PEM format private key and signed cert in different ways. One of them is to use the standard openssl tool with a command like:

openssl pkcs12 -export -in SIGNED_CERT_FILE -inkey PRIVATE_KEY_FILE -out http.p12

Alternatively, you don't have to use p12 files since ES can take PEM files as well with settings:

xpack.security.http.ssl.key: PRIVATE_KEY_FILE
xpack.security.http.ssl.certificate: SIGNED_CERT_FILE
1 Like

Thank you for your help, I was able to get Elasticsearch running, but when I tried to created an enrollment token for another node, I get the error below. Is it the problem with the certificate,
not finding the hostname or the IP address. The log has been modified to removed personal information.

 $ sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node
13:57:16.246 [main] WARN  org.elasticsearch.common.ssl.DiagnosticTrustManager - failed to establish trust with server at [10.*.*.106]; the server provided a certificate with subject name [CN=*.demo.ca,OU=ADM-IM/JDCP,O=ND-DN Cloud Intranet,L=***wa,ST=***io,C=CA], fingerprint [f3c*************4ed6f], keyUsage [digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment] and extendedKeyUsage [serverAuth]; the session uses cipher suite [TLS_AES_256_GCM_SHA384] and protocol [TLSv1.3]; the certificate has subject alternative names [DNS:*.demo.ca,DNS:demo.ca,DNS:*.cloud.demo.ca]; the certificate is issued by [CN=example-CA-Authority] but the server did not provide a copy of the issuing certificate in the certificate chain; this ssl context ([xpack.security.http.ssl (with trust configuration: Composite-Trust{JDK-trusted-certs,PEM-trust{/etc/elasticsearch/certs/*base64.cer}})]) is not configured to trust that issuer but trusts [90] other issuers
java.security.cert.CertificateException: No subject alternative names matching IP address 10.*.*.106 found

I was able to get rid of the error with adding "xpack.security.http.ssl.verification_mode: certificate" now having a different error message. How would I created a keystore for the configuration.

$ sudo /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s node
Unable to create enrollment token for scope [node]

ERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration is not configured with a keystore
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: certs/demo.key
xpack.security.http.ssl.certificate: certs/demo.cer
#xpack.security.http.ssl.certificate_authorities: ["certs/??????"]

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: certs/demo.key
xpack.security.transport.ssl.certificate: certs/demo.cer
#xpack.security.transport.ssl.certificate_authorities: ["certs/???????"]

The enrollment token was designed to work with auto-configured security. It is possible to get it work with manually configured security. But you'll have to understand the details. The current problem you are having is that generating enrollment token expects the HTTP TLS configuration to be configured with keystore, not pem files. So you need create the pkcs12 files.