Hi All,
I'm trying to setup an elastic-search cluster, on Windows machines (all windows server 2019).
When i run the Elasticsearch.bat for the first time, it configures the node with a default configuration, which is nice.
Authentication, HTTPS/SSL is enabled and an "Elasticsearch self signed certificate" is used.
Once the node is up, and I browse to https://localhost:9200 (or the machine's ip address:9200), i'm gettting an "Invalid certiface". Which makes sense, as a self signed certificate is used, I guess?
Our company as a wild card certificate in pfx format.
Basically what I tried to do, but failed miserably, is replace the Elasticsearch self signed certificate for this one.
From what I know so far (pls correct me if im wrong), the pfx file contains the private key, client certificate and the CA.
In order to use it for Elasticsearch, I first need to extract those 3 things from the PFX, as the pfx file cannot be directly used in Elasticsearch config?
I extracted the 3 certificates with the openssl tool.
.\openssl pkcs12 -in "wildcard-certificate.pfx" -nocerts -nodes -out "private.key"
.\openssl pkcs12 -in "wildcard-certificate.pfx" -clcerts -nokeys -out "public.cer"
.\openssl pkcs12 -in "wildcard-certificate.pfx" -cacerts -nokeys -out "ca.cer"
I now have 3 files which I can open in notepad, and see something like
-----BEGIN CERTIFICATE-----
MIIEMjCCAxqgAwI...
-----END CERTIFICATE-----
There is some other data round this, which i usually manually delete so the file only contains the certificate. (Compared it with the default generated http_ca.P12 in config/certs folder)
Also another note (probably important to mention):
In the private key file there is 1 key, in the public there is 1 certificate, however in the ca.cer there are 3... Im not sure what this is, i think a certificate chain?
For Elasticsearch I think there can only be 1 certificate in the CA.cer? How do I know which is the right one? the CA one ?
Next, I followed the "example" section in this article.
Using the extracted CA.Cer from the pfx, i tried creating the new node certificate(s), updated the config.yml, updated the keystore, restarted Elasticsearch service.
All without succes... --> still invalid certificate when browsing to localhost:9200
If anyone could point me in the right direction, that would he highly appreciated!
I've search dozen's of articles/documentation, but I cant seem to find anything that points in the right direction to do this on Windows.
Kind Regards,
Thomas