Elasticsearch didn't create ca.key. How can i create new key/crt for new instances?

Hi guys,

I've used this documentation to encrypt the communication in the ELK (7.4.0) cluster: https://www.elastic.co/blog/configuring-ssl-tls-and-https-to-secure-elasticsearch-kibana-beats-and-logstash

especially this command: bin/elasticsearch-certutil cert ca --pem --in ~/tmp/cert_blog/instance.yml --out ~/tmp/cert_blog/certs.zip

The output of it is a zip file, which contains key/crt for every node and root ca.crt (without ca.key)

Now i would like to create new key/crt for a filebeat instance, but I can't because ca.key is required (read her: https://www.elastic.co/guide/en/elasticsearch/reference/current/certutil.html), but it has not been created.

How can I now create new certificates for new nodes?

I'm afraid that you can't.
The instructions that you followed do not keep a copy of the CA key, so it is not possible to add new certificates.

I'll see what I can do to update that blog post with a warning, or additional instructions to retain the CA key, because I do not recommend creating a throw-away CA like that.

Thank you for the reply. It means to me that I have to recreate the CA (now with --keep-ca-key parameter) and certificates/keys and exchange all certificates and keys on the ELK nodes.

After that i can use ca.crt and ca.key file to create new certificates/keys for example for beats or new cluster nodes.

Can you explain why you "do not recommend creating a throw-away CA like that".

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.