Encrypt HTTP Client

When updating the certificate using the following commands "elasticsearch-certutil http". At end it is showing the error.
Exception in thread "main" java.lang.IllegalArgumentException: ca certificate is
not a CA!
at org.elasticsearch.xpack.security.cli.CertGenUtils.generateSignedCerti
at org.elasticsearch.xpack.security.cli.HttpCertificateCommand.writeCert
at org.elasticsearch.xpack.security.cli.HttpCertificateCommand.writeZip(
at org.elasticsearch.xpack.security.cli.HttpCertificateCommand.execute(H
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwar
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:1
at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:80)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:1
at org.elasticsearch.cli.Command.main(Command.java:79)
at org.elasticsearch.xpack.security.cli.CertificateTool.main(Certificate

Please share your code as well, as this makes it rather hard to debug. Also please format your code snippets for readability.

The 2nd line contains the following statement

java.lang.IllegalArgumentException: ca certificate is
not a CA!

Are you making sure that your CA configuration for the truststore is a CA cert?

See Encrypted communication | Java REST Client [7.12] | Elastic

We are enabling SSL for elastic search, for this we are installing the certificate.

  1. Generated CSR and private key using Open SSL in Linux.
  2. Using the same we have generated the .p7b certificate from the origanization.
  3. Using the certificate and private key we have generated the .pfx file from OPEN SSL, using the following command.
    Command 1:" openssl pkcs7 -print_certs -in Cert.p7b -out Cert.cer"
    Command 2:"openssl pkcs12 -export -in Cert.cer -inkey private.key -out certificatename.pfx -certfile Cert.cer"
  4. When updating the certificate using the elastic search command in the following url(Set up basic security for the Elastic Stack plus secured HTTPS traffic | Elasticsearch Guide [7.12] | Elastic) and when it ask to provide the end zip file name, it would throw the error message on the screen.

If I understand it correctly, your intention is to use the corporate signed certificate as the CA to sign the certificates required for elasticsearch's HTTPS interface.

When you invoke elasticsearch-certutil http, you answered y to Use an existing CA? and entered the path to the file certificatename.pfx for the following question of CA Path: . You then ran into the error in the original post.

The error message is ca certificate is not a CA! and it literally means the certificate stored in certificatename.pfx cannot be used as a CA. A certificate can have different constraints and not every one of them can be a CA. This can be verified with following command:

openssl pkcs12 -in certificatename.pfx -nodes -nokeys | openssl x509 -text -noout -in -

Look for Basic Constraints in the output. It will say CA:FALSE if the certificate cannot be used as a CA. To fix this, you need regenerate your certificate so the CA constraint is removed.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.