The documentation states that
If you want to specify a blank password (without prompting), use --pass "" (with no =).
But that seems to be wrong:
$ /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --silent -in /etc/elasticsearch/instances.yml --out /tmp/elasticsearch-ssl-certs.zip --pass ""
Exception in thread "main" java.lang.IllegalArgumentException: password empty
at org.bouncycastle.jcajce.provider.symmetric.OpenSSLPBKDF$PBKDF.engineGenerateSecret(Unknown Source)
at javax.crypto.SecretKeyFactory.generateSecret(SecretKeyFactory.java:330)
at org.bouncycastle.openssl.jcajce.PEMUtilities.getKey(Unknown Source)
at org.bouncycastle.openssl.jcajce.PEMUtilities.crypt(Unknown Source)
at org.bouncycastle.openssl.jcajce.JcePEMEncryptorBuilder$1.encrypt(Unknown Source)
at org.bouncycastle.openssl.MiscPEMGenerator.createPemObject(Unknown Source)
at org.bouncycastle.openssl.MiscPEMGenerator.generate(Unknown Source)
at org.bouncycastle.util.io.pem.PemWriter.writeObject(Unknown Source)
at org.bouncycastle.openssl.jcajce.JcaPEMWriter.writeObject(Unknown Source)
at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.lambda$generateAndWriteSignedCertificates$0(CertificateTool.java:798)
at org.elasticsearch.xpack.security.cli.CertificateTool.withPassword(CertificateTool.java:936)
at org.elasticsearch.xpack.security.cli.CertificateTool.access$100(CertificateTool.java:85)
at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.lambda$generateAndWriteSignedCertificates$1(CertificateTool.java:797)
at org.elasticsearch.xpack.security.cli.CertificateTool.lambda$fullyWriteZipFile$0(CertificateTool.java:950)
at org.elasticsearch.xpack.security.cli.CertificateTool.fullyWriteFile(CertificateTool.java:994)
at org.elasticsearch.xpack.security.cli.CertificateTool.fullyWriteZipFile(CertificateTool.java:947)
at org.elasticsearch.xpack.security.cli.CertificateTool.access$500(CertificateTool.java:85)
at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.generateAndWriteSignedCertificates(CertificateTool.java:765)
at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.execute(CertificateTool.java:700)
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:77)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
at org.elasticsearch.cli.Command.main(Command.java:90)
at org.elasticsearch.xpack.security.cli.CertificateTool.main(CertificateTool.java:137)
Not specifying the parameter at all works, though:
$ /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --silent -in /etc/elasticsearch/instances.yml --out /tmp/elasticsearch-ssl-certs.zip
Installed version: 6.4.2 (https://artifacts.elastic.co/packages/6.x/apt)