I noticed the tool elasticsearch-certutil which helps to create the certificates for TLS security in the stack.
I want to partly automate the step of certificate creation in docker environment.
I am thinking of following scenario:
I have an elasticsearch container will only be used for certificate creation. It has access to the already created selfsigned CA key and cert. An additonal script will call elasticsearch-certutil to generate a key and sign it. The created certificate-bundle (key, ca-cert, cert) will be saved and copied to the new node (logstash or elasticsearch or kibana). Afterwards the new node can be started, having the cert available for TLS security.
Now my question about the keystore:
Is it possible to save the CA-password in elasticsearch's keystore and use the secret in elasticsearch-certutil? If so, how?
Normally I prefer entering CA-passphrase manually but I would like to know what is possible and what not.
And one question from security point of view:
Is it possible to decode the keystore to get it's keys and values if the secret is known? I would like to know how insecure it is to store CA-passphrase in the keystore, because imho it is more critical / sensitive than a private key passphrase of a single node.
Thanks a lot, Andreas