Elasticsearch-certutil http

Hello everyone,
I figured out that when generating http certificates by tool ./bin/elasticsearch-certutil http than it didn't work when I have password protected *.pem/*.key files. It does generate certs only if it's used -nodes when creating CA cert.

My commands to create RootCA.key and RootCA.pem

openssl req -x509 -nodes -new -sha256 -days 10950 -newkey rsa:4096 -keyout RootCA.key -out RootCA.pem

After this is created theese files RootCA.key and RootCA.pem it's okay and utility elasticsearch-certutil http can be used, but when I generate CA without -nodes with password, than utility elasticsearch certutil http cannot be used and show's me errors:

Exception in thread "main" ElasticsearchException[Failed to read private key from /etc/elasticsearch/RootCA.key]; nested: IOException[PBE parameter parsing error: expecting the object identifier for AES cipher];
	at org.elasticsearch.xpack.security.cli.HttpCertificateCommand.readPrivateKey(HttpCertificateCommand.java:1016)
	at org.elasticsearch.xpack.security.cli.HttpCertificateCommand.readPemCA(HttpCertificateCommand.java:985)
	at org.elasticsearch.xpack.security.cli.HttpCertificateCommand.findExistingCA(HttpCertificateCommand.java:784)
	at org.elasticsearch.xpack.security.cli.HttpCertificateCommand.execute(HttpCertificateCommand.java:168)
	at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:75)
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:114)
	at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:95)
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:114)
	at org.elasticsearch.cli.Command.main(Command.java:79)
	at org.elasticsearch.xpack.security.cli.CertificateTool.main(CertificateTool.java:143)
Caused by: java.io.IOException: PBE parameter parsing error: expecting the object identifier for AES cipher
	at java.base/com.sun.crypto.provider.PBES2Parameters.parseES(PBES2Parameters.java:335)
	at java.base/com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:239)
	at java.base/java.security.AlgorithmParameters.init(AlgorithmParameters.java:311)
	at java.base/sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:155)
	at java.base/sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:137)
	at java.base/sun.security.x509.AlgorithmId.parse(AlgorithmId.java:449)
	at java.base/javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:98)
	at org.elasticsearch.xpack.core.ssl.PemUtils.parsePKCS8Encrypted(PemUtils.java:330)
	at org.elasticsearch.xpack.core.ssl.PemUtils.readPrivateKey(PemUtils.java:91)
	at org.elasticsearch.xpack.security.cli.HttpCertificateCommand.readPrivateKey(HttpCertificateCommand.java:1009)
	... 9 more

I proceed by this manual:

PS: I cannot find similiar issue, so I created this one.
btw. this is my first ticket

Thanks for the report. I can reproduce this (though it depends on the OpenSSL version) and will see what's triggering it.

It seems to be something about the specifics of the encryption algorithm being used for the PKCS#8 key, but I'll need to track down the specifics.

I've opened PemUtils fails to parse PKCS#8 private keys when using PBES2 · Issue #78901 · elastic/elasticsearch · GitHub

It looks like (at least in recent versions) OpenSSL defaults to using PBES1 when converting RSA keys to PKCS#8 (openssl pkcs8 -topk8) but PBSE2 when using openssl req.

Parsing PBES2 in Java is a little trickier than PBES1, and we don't support it correctly at the moment.

You can probably work around this by generating the key with -nodes and then encrypting it with

openssl pkcs8 -topk8 -in RootCA-nodes.key -out  RootCA.key -v1 PBE-MD5-DES
1 Like