A quick note on terminology:
It doesn't look like you're trying to generate "self-signed" client certificates (nor do you have "self-signed" server certificates)
In your first step, when you generate the CA, that's a "self-signed" certificate. It was issued (signed) by itself - if you look at the certificate you will see that the "Issuer" and "Subject" are the same.
But in your second step you provide a CA which is the issuer of the server cert. If you look at the certificate it will have a different "Issuer" and "Subject". That means it's not "self-signed" - the cert didn't sign itself, it was signed by a CA.
You are creating a certificate that is signed by a CA that you control, rather than a commercial CA, but that distinction doesn't really change the nature of the certificate - it just means it uses a CA that won't be trusted by other people.
That matters in practice - it's a real thing to care about because it will affect how clients need to be configured in order to connect successfully - but it's not the same as "self signed".
Not trying to be pedantic, but being clear on language and terminology can help reduce confusion.
Knowing this self signed server side configuration, how to generate the client certificates which will connect to this backend?
I would recommend that you have a different CA for your server and client certificates. You don't have to separate them, but there are benefits to doing so, and almost no benefit to having them the same.
Unfortunately there's no way to tell certutil what name to use for the files inside the zip, so they will still be called ca/ca.crt and ca/ca.key. You probably want to rename them to client-auth-ca.crt and client-auth-ca.key to be clear. The rest of my instructions will assume that you've done that.
Change the certificate_authorities in your elasticsearch.yml to point to the new CA
You may need to also provide a username/password depending on your ES node configuration, but you should see that you can connect with logstash.crt + logstash.key and the handshake fails without it.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.