Certificate and Key formats are fairly confusing.
PKCS#8 is a private key encoding. It's a way of describing a private key as a stream of bytes. It it technically not a file type, because it doesn't describe how to store that key in a file - just how to store it as bytes.
PEM is a file format. It's a way of writing a cryptographic object in particular encoding, into a file on disk.
It is possible (and common) to have a private key that is encoded as PKCS#8 and then written to a PEM file.
The PEM file format can store a variety of different cryptographic objects. Among other object types, it can store both certificates and keys.
So, when you have elasticsearch.pem + elasticsearch.key
, technically those are both PEM files. You can assume that elasticsearch.pem
is a certificate written in PEM format and elasticsearch.key
is a key (using some encoding), also written in PEM format.
Sometimes people use the .pem
extension because they are PEM files, which is fair enough.
Other people use .cer
or .crt
because they are certificates, written as PEM files, which is also a fair choice.
The Elasticsearch team prefers to use the .crt
and .key
style of naming (because that emphasizes the main difference between the 2 files) but it doesn't matter.
It is highly likely that your .cer
,.crt
and .pem
files all use the same encoding and format.
If you want to be consistent you can just rename the files.
PKCS#8 files can have password, but don't always. In this case, it's really just that there is a password on that key (which is a good idea) and there isn't one on the Elasticsearch & Kibana keys.
Logstash has a copy of the password, so it's possible you could get it from there, but generating a new one is fine.
This error message is a little bit misleading.
It simply means that Logstash failed to read the key from the file. It can be triggered by a number of reasons that don't necessarily mean that the file is invalid.
In this case:
InvalidKeyException: IOException : DER input, Integer tag error`
The most likely cause is that your private key has a password (that is, it is encrypted) and you didn't provide that password to Logstash. In that case the code that reads the private key in Logstash will assume it is not encrypted, and then fail because it's not encoded correctly.
This is not elasticsearch. This is coming from elastalert
, and I really don't know enough to be able to help you with that.
Are there more messages above that? The most useful information appears to be missing.