Elasticsearch crashes with PEM certificate error when using pfx split into separate certificate and key

[ERROR][c.a.o.s.s.DefaultOpenDistroSecurityKeyStore] [example.com] Your keystore or PEM does not contain a key. If you specified a key password, try removing it. If you did not specify a key password, perhaps you need to if the key is in fact password-protected. Maybe you just confused keys and certificates.

Given a machine certificate example.pfx I can extract the key and certificate into two separate files example-certificate.pem example-certificate-key.pem using the below commands from Converting pfx to pem using openssl

Extracts the private key form a PFX to a PEM file:

openssl pkcs12 -in example.pfx -nocerts -out key.pem

Exports the certificate (includes the public key only):

openssl pkcs12 -in example.pfx -clcerts -nokeys -out example-certificate.pem

Removes the password from the extracted private key (Elasticsearch does not support keys on private keys):

openssl rsa -in key.pem -out example-certificate-key.pem 

I keep hitting the same error, is there a way I can confirm my pem files are correct or not to narrow down if the error is caused by Elasticsearch, the pem conversion, the pfx files I recieve, or something else?

Elasticsearch requires the private key to be in pkcs8 format.
Convert the extracted key to pkcs8 with

> openssl pkcs8 -in example-certifate-key.pem -topk8 -nocrypt -out example-certificate-key-pkcs8.pem
1 Like

Welcome to our community! :smiley:

And thanks heaps for providing your solution!

A few things that I'd like to clarify:

  1. Elasticsearch does not require pkcs8 format for a private key. The initial error is most likely because you didn't specify the password for the password protected key file (as suggested by the error message). In fact, Both example-certifate-key.pem and the later example-certificate-key-pkcs8.pem files should be of pkcs8 format. Just the later is not password protected because you explicilty specified -nocrypt.
  2. The error message shows that you are using OpenDistro for Elasticsearch. It's a different product from the actual Elasticsearch, especially when it comes to security. Therefore, it is possible that it may behave different or doesn't support the same things that we support.
1 Like

Thanks for clarifying, I will confirm your solution and update our documentation as well the answer here at our next upgrade.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.