Elasticsearch-certutil - can it access keystore?

Hi together,

I noticed the tool elasticsearch-certutil which helps to create the certificates for TLS security in the stack.

I want to partly automate the step of certificate creation in docker environment.
I am thinking of following scenario:

I have an elasticsearch container will only be used for certificate creation. It has access to the already created selfsigned CA key and cert. An additonal script will call elasticsearch-certutil to generate a key and sign it. The created certificate-bundle (key, ca-cert, cert) will be saved and copied to the new node (logstash or elasticsearch or kibana). Afterwards the new node can be started, having the cert available for TLS security.

Now my question about the keystore:
Is it possible to save the CA-password in elasticsearch's keystore and use the secret in elasticsearch-certutil? If so, how?

Normally I prefer entering CA-passphrase manually but I would like to know what is possible and what not.

And one question from security point of view:
Is it possible to decode the keystore to get it's keys and values if the secret is known? I would like to know how insecure it is to store CA-passphrase in the keystore, because imho it is more critical / sensitive than a private key passphrase of a single node.

Thanks a lot, Andreas

Hi Andreas,

No, Elasticsearch's keystore is not meant to be used as a generic secret store but rather to hold sensitive values for specific Elasticsearch settings. As such it can't be used externally to read any of the stored values. One can only add and list settings. elasticsearch-certutil is not able to read the setting values either, so you'd need to store it somewhere else and pass it as the --ca-pass parameter when calling elasticsearch-certutil

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.