Creating P12 certificates in a github workflow

tdvo1996 · May 6, 2024, 1:26pm

Hi, we would like to implement a rotation of P12-certificates using github workflows.

Let's say you have a CA certificate. Would it be possible, in a github workflow, to use a public Elasticsearch docker image to create password signed P12 certificates?

The CA certificate will be fetched from Azure Key Vault and mounted to a folder on a private github runner. Then the CA will be mounted to a folder on the docker container to be used to create P12 certificates. Is it possible? And how would that docker command look like?

Artem_Shelkovnikov · May 6, 2024, 3:17pm

Hi @tdvo1996,

Just to check - where does Elasticsearch stand in the question? Only to create certificates?

tdvo1996 · May 7, 2024, 7:52am

Yes, it's for configuring elastic with xpack security. I'm trying to automate configuring elastic as much as possible. For example using github workflows and ansible to rotate certificates.

Artem_Shelkovnikov · May 7, 2024, 9:24am

I see, I've moved this topic into Elastic Stack - Elasticsearch section so that you can get more visibility on your question from Elasticsearch team.

tdvo1996 · May 7, 2024, 9:48am

I tried posting on elastic stack first, but I wasn't able to do it. The "New Topic"-button was greyed out, but thanks!

TimV · May 8, 2024, 6:58am

Not if all you have is a CA certificate. You need a copy of the CA private key in order to be able to issue new certificates.

tdvo1996 · May 8, 2024, 7:32am

Ah, I see. What if you have a ca in the form of a p12 certificate, and then spin up a n elastic docker image to run this command:

./elasticsearch-certutil cert --ca /etc/elasticsearch/cert/p12/elastic-stack-ca.p12 --in /usr/share/elasticsearch/bin/instances.yml --out certs.zip?

Something like this:

 docker run --rm \
            -v ./certs:/usr/share/elasticsearch/config/certs \
            -v ${{ inputs.instances_file_path }}/instances.yml:/usr/share/elasticsearch/config/instances.yml \
            docker.elastic.co/elasticsearch/elasticsearch:8.11.2 \
            elasticsearch-certutil cert --ca /usr/share/elasticsearch/config/certs/elastic-stack-ca.p12 \
            --in /usr/share/elasticsearch/config/instances.yml \
            --out /usr/share/elasticsearch/config/certs/certs.zip -ca-pass "$pwd" --pass "$pwd"

I'm fairly new to configuring elastic, so correct me if I say anything incorrect.