When updating the certificate using the following commands "elasticsearch-certutil http". At end it is showing the error.
Exception in thread "main" java.lang.IllegalArgumentException: ca certificate is
not a CA!
at org.elasticsearch.xpack.security.cli.CertGenUtils.generateSignedCerti
ficate(CertGenUtils.java:177)
at org.elasticsearch.xpack.security.cli.HttpCertificateCommand.writeCert
ificateAndKeyDetails(HttpCertificateCommand.java:346)
at org.elasticsearch.xpack.security.cli.HttpCertificateCommand.writeZip(
HttpCertificateCommand.java:262)
at org.elasticsearch.xpack.security.cli.HttpCertificateCommand.execute(H
ttpCertificateCommand.java:235)
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwar
eCommand.java:75)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:1
16)
at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:80)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:1
16)
at org.elasticsearch.cli.Command.main(Command.java:79)
at org.elasticsearch.xpack.security.cli.CertificateTool.main(Certificate
Tool.java:138)
Please share your code as well, as this makes it rather hard to debug. Also please format your code snippets for readability.
The 2nd line contains the following statement
java.lang.IllegalArgumentException: ca certificate is
not a CA!
Are you making sure that your CA configuration for the truststore is a CA cert?
See Encrypted communication | Java REST Client [7.12] | Elastic
We are enabling SSL for elastic search, for this we are installing the certificate.
- Generated CSR and private key using Open SSL in Linux.
- Using the same we have generated the .p7b certificate from the origanization.
- Using the certificate and private key we have generated the .pfx file from OPEN SSL, using the following command.
Command 1:" openssl pkcs7 -print_certs -in Cert.p7b -out Cert.cer"
Command 2:"openssl pkcs12 -export -in Cert.cer -inkey private.key -out certificatename.pfx -certfile Cert.cer" - When updating the certificate using the elastic search command in the following url(Set up basic security for the Elastic Stack plus secured HTTPS traffic | Elasticsearch Guide [7.12] | Elastic) and when it ask to provide the end zip file name, it would throw the error message on the screen.
If I understand it correctly, your intention is to use the corporate signed certificate as the CA to sign the certificates required for elasticsearch's HTTPS interface.
When you invoke elasticsearch-certutil http, you answered y to Use an existing CA? and entered the path to the file certificatename.pfx for the following question of CA Path: . You then ran into the error in the original post.
The error message is ca certificate is not a CA! and it literally means the certificate stored in certificatename.pfx cannot be used as a CA. A certificate can have different constraints and not every one of them can be a CA. This can be verified with following command:
openssl pkcs12 -in certificatename.pfx -nodes -nokeys | openssl x509 -text -noout -in -
Look for Basic Constraints in the output. It will say CA:FALSE if the certificate cannot be used as a CA. To fix this, you need regenerate your certificate so the CA constraint is removed.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.