We are trying to enable TLS on Elasticsearch using a self-signed EC based CA with EC based keys.
That being said, when we tried to supply these to ES it throws up with the following error:
Caused by: java.security.NoSuchAlgorithmException: ECDSA KeyFactory not available
at java.security.KeyFactory.(KeyFactory.java:138) ~[?:1.8.0_121]
at java.security.KeyFactory.getInstance(KeyFactory.java:172) ~[?:1.8.0_121]
at org.bouncycastle.jcajce.util.DefaultJcaJceHelper.createKeyFactory(Unknown Source) ~[?:?]
at org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter.getKeyFactory(Unknown Source) ~[?:?]
at org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter.getPrivateKey(Unknown Source) ~[?:?]
at org.elasticsearch.xpack.ssl.CertUtils.readPrivateKey(CertUtils.java:272) ~[?:?]
It looks like ES 5.3.0 (or rather X-Pack 5.3.0) does not support reading in of EC keys yet, but only support ECC only as a cipher selection.
Logstash on the other hand, doesn't seem to have this issue when ingesting EC keys. The main use case is to open a port on the Internet so Filebeat can send traffic directly via ES Ingest.
I was thinking perhaps I would do a socat proxy if Filebeat does not have the same EC limitation, but haven't really gotten to test this yet.
Can someone please shed some light on this?