Elastic ssl certificate api

security

(Miso Mijatovic) #1

Hi all,

I'm on 6.3.2, trying to configure SSL.
I used certutil to create the keystores for ca and nodes.
Trying the certificate api I get this information from my node:

[
  {
    "path": "/etc/elasticsearch/certs/m2-391-certificates.p12",
    "format": "PKCS12",
    "alias": "instance",
    "subject_dn": "CN=Elastic Certificate Tool Autogenerated CA",
    "serial_number": "xxxxxx",
    "has_private_key": false,
    "expiry": "2021-11-28T14:06:58.000Z"
  },
  {
    "path": "/etc/elasticsearch/certs/m2-391-certificates.p12",
    "format": "PKCS12",
    "alias": "instance",
    "subject_dn": "CN=instance",
    "serial_number": "yyyyyy",
    "has_private_key": true,
    "expiry": "2021-11-28T14:12:08.000Z"
  },
  {
    "path": "/etc/elasticsearch/certs/m2-391-certificates.p12",
    "format": "PKCS12",
    "alias": "ca",
    "subject_dn": "CN=Elastic Certificate Tool Autogenerated CA",
    "serial_number": "xxxxxx",
    "has_private_key": false,
    "expiry": "2021-11-28T14:06:58.000Z"
  }
]

while using keytool I get this information

[root@v-aps-s-m2-391 certs]# keytool -list -keystore /etc/elasticsearch/certs/m2-391-certificates.p12 -v
Enter keystore password:

*****************  WARNING WARNING WARNING  *****************
* The integrity of the information stored in your keystore  *
* has NOT been verified!  In order to verify its integrity, *
* you must provide your keystore password.                  *
*****************  WARNING WARNING WARNING  *****************

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: instance
Creation date: Nov 29, 2018
Entry type: PrivateKeyEntry


*******************************************
*******************************************

I want to export the certificate but in the keystore i found only the private key, also if I try to export it I get an error:

[root@v-aps-s-m2-391 certs]# keytool -export -keystore /etc/elasticsearch/certs/m2-391-certificates.p12 -alias instance -file test

Enter keystore password:

*****************  WARNING WARNING WARNING  *****************
* The integrity of the information stored in your keystore  *
* has NOT been verified!  In order to verify its integrity, *
* you must provide your keystore password.                  *
*****************  WARNING WARNING WARNING  *****************

keytool error: java.lang.Exception: Alias <instance> has no certificate

So where is the certificate stored and how can I access it?
Thanks in advance


(Ioannis Kakavas) #2

Can you share the commands you used?

Can you share which keytool version you are using? You can figure out for instance with

which keytool | xargs namei

Now, you can try to do the same with openssl :

  • openssl pkcs12 -in /etc/elasticsearch/certs/m2-391-certificates.p12 -info will show you the keys and certificates in the PKCS#12 store.

  • openssl pkcs12 -in elastic-certificates.p12 -clcerts -nokeys -out instance.crt will output the instance certificate, PEM encoded in the file instance.crt


(Tim Vernum) #3

keytool has a lot of really strange behaviours. You're running into a few of them:

  1. It assume that if you just press <enter> at the Enter keystore password: prompt, then you are choosing not to enter a password. It doesn't accept that your keystore might actually have a blank password. (Which I assume is the case for you).
  2. It will happily attempt to do things without the password, even though they're not possible
  3. It then gives you a completely ridiculous error message when it fails to do them.

If your PKCS#12 file has a blank password, then you need to provide -storepass "" to keytool - Keytool will do the wrong thing if you press enter at the password prompt.

keytool -list -keystore /etc/elasticsearch/certs/m2-391-certificates.p12 -v -storepass ""
keytool -export -keystore /etc/elasticsearch/certs/m2-391-certificates.p12 -alias instance -file test -storepass ""