ECDSA TLS Key Support

We are trying to enable TLS on Elasticsearch using a self-signed EC based CA with EC based keys.
That being said, when we tried to supply these to ES it throws up with the following error:

Caused by: ECDSA KeyFactory not available
at ~[?:1.8.0_121]
at ~[?:1.8.0_121]
at org.bouncycastle.jcajce.util.DefaultJcaJceHelper.createKeyFactory(Unknown Source) ~[?:?]
at org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter.getKeyFactory(Unknown Source) ~[?:?]
at org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter.getPrivateKey(Unknown Source) ~[?:?]
at org.elasticsearch.xpack.ssl.CertUtils.readPrivateKey( ~[?:?]

It looks like ES 5.3.0 (or rather X-Pack 5.3.0) does not support reading in of EC keys yet, but only support ECC only as a cipher selection.
Logstash on the other hand, doesn't seem to have this issue when ingesting EC keys. The main use case is to open a port on the Internet so Filebeat can send traffic directly via ES Ingest.
I was thinking perhaps I would do a socat proxy if Filebeat does not have the same EC limitation, but haven't really gotten to test this yet.
Can someone please shed some light on this?


Well, ES doesn't support ECDSA keys due to the fact that JVM does not have a provider for them.
And Logstash makes use of JRuby which adds support for them.

We're looking into making ECDSA support work when using PEM files. One workaround for the time being might be to use a Java KeyStore instead of the PEM files.

The method for putting your key and certificate(s) into a keystore isn't the most user friendly. The first step is to use a tool like openssl to create a pkcs12 keystore from the key, certificate, and ca certificate. Then you use keytool to import the pkcs12 keystore into a java keystore file (jks).

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.