Elastic 8.1 installation on windows with HTTPS and wild card certificates

Hi All,

I'm trying to setup an elastic-search cluster, on Windows machines (all windows server 2019).
When i run the Elasticsearch.bat for the first time, it configures the node with a default configuration, which is nice.
Authentication, HTTPS/SSL is enabled and an "Elasticsearch self signed certificate" is used.

Once the node is up, and I browse to https://localhost:9200 (or the machine's ip address:9200), i'm gettting an "Invalid certiface". Which makes sense, as a self signed certificate is used, I guess?

Our company as a wild card certificate in pfx format.
Basically what I tried to do, but failed miserably, is replace the Elasticsearch self signed certificate for this one.
From what I know so far (pls correct me if im wrong), the pfx file contains the private key, client certificate and the CA.
In order to use it for Elasticsearch, I first need to extract those 3 things from the PFX, as the pfx file cannot be directly used in Elasticsearch config?

I extracted the 3 certificates with the openssl tool.
.\openssl pkcs12 -in "wildcard-certificate.pfx" -nocerts -nodes -out "private.key"
.\openssl pkcs12 -in "wildcard-certificate.pfx" -clcerts -nokeys -out "public.cer"
.\openssl pkcs12 -in "wildcard-certificate.pfx" -cacerts -nokeys -out "ca.cer"

I now have 3 files which I can open in notepad, and see something like

There is some other data round this, which i usually manually delete so the file only contains the certificate. (Compared it with the default generated http_ca.P12 in config/certs folder)

Also another note (probably important to mention):
In the private key file there is 1 key, in the public there is 1 certificate, however in the ca.cer there are 3... Im not sure what this is, i think a certificate chain?
For Elasticsearch I think there can only be 1 certificate in the CA.cer? How do I know which is the right one? the CA one ?

Next, I followed the "example" section in this article.

Using the extracted CA.Cer from the pfx, i tried creating the new node certificate(s), updated the config.yml, updated the keystore, restarted Elasticsearch service.

All without succes... --> still invalid certificate when browsing to localhost:9200

If anyone could point me in the right direction, that would he highly appreciated!
I've search dozen's of articles/documentation, but I cant seem to find anything that points in the right direction to do this on Windows.

Kind Regards,

A .pfx file is (more or less) just a different extension for a PKCS#12 file. You should not have any problem using it as a keystore in Elasticsearch.

Youve skipped over all the important details. In order to diagnose what might have gone wrong we need to know exactly what you changed.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.