Elasticsearch-certutil: generate both pem certificates and PKCS#12 keystores

Elastic Stack Elasticsearch
1

Hi,

I am currently using elasticsearch-certutil to generate my PEM certificates (.crt and .key) for Elasticsearch and Kibana through a certutil .yml file.

However I want to setup SSL for my Enterprise Search instance but it seems it doesn't accept PEM : it only accepts a ent_search.ssl.keystore.path option.

But certutil doesn't seem to accept an option to generate both PEM certificates and a PKCS keystore.

Here is the yml config :

instances:
    - name: es01
      dns:
        - es01 
        - localhost
      ip:
        - 127.0.0.1

    - name: es02
      dns:
        - es02
        - localhost
      ip:
        - 127.0.0.1

    - name: es03
      dns:
        - es03
        - localhost
      ip:
        - 127.0.0.1

    - name: kibana
      dns:
        - kibana
        - localhost
      ip:
        - 127.0.0.1

    - name: enterprise_search
      dns:
        - enterprise_search
        - localhost
      ip:
        - 127.0.0.1

Here is my command (in a Docker container) :

bin/elasticsearch-certutil cert --silent --pem --in config/certificates/instances.yml -out /certs/bundle.zip;

Am I forced to generate my Enterprise Search keystore through a second command and yml file ?

Thank you,

2

It is not possible to generate both PEM and p12 files at the same time. Both elasticsearch and Kibana can support p12 file. So a possible solution to just generate p12 files across the board, i.e. drop the --pem CLI option.

Note it might not do what you expect if you run the command twice, one for pem and the other time for p12. The way you invoke certutil is to ask for a new CA to be generated on the fly on each invocation. That is, certificates generated from two invocations will not automatically trust each other since they are signed by different CA.

3

Thank you for this answer Yang_Wang. I would like to keep crt.s and key.s for my Elasticsearch and Kibana instances.

What about doing something like this ?

# Generating CA certificate
bin/elasticsearch-certutil ca --silent --pem -out /certs/ca.zip;
unzip /certs/ca.zip -d /certs;

# Generating PEM certificates (ElasticSearch nodes and Kibana)
bin/elasticsearch-certutil cert --silent --pem --ca-cert "/certs/ca/ca.crt" --ca-key "/certs/ca/ca.key" --in config/certificates/pem.yml -out /certs/pem.zip;
unzip /certs/pem.zip -d /certs;

# Generating PKCS#12 certificates (Enterprise Search)
bin/elasticsearch-certutil cert --silent --pass "changeme" --ca-cert "/certs/ca/ca.crt" --ca-key "/certs/ca/ca.key" --in config/certificates/pkcs_12.yml -out /certs/pkcs_12.zip;
unzip /certs/pkcs_12.zip -d /certs;

Does this technique make sure both certs and keystore are signed by the same CA ?

Thanks,

4

Yes that should work. We recommend to have a separate step for generating CA. In fact, generating CA on the fly will be deprecated and removed in 8.0.

5

What do you mean by "generating the CA on the fly" ?

Isn't that command already a "separate step" for generating the CA ?

bin/elasticsearch-certutil ca --silent --pem -out /certs/ca.zip;
6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.