Having different passowrds for the pkcs12 keystore and the private key in the keystore

I am confused by how should i handle the passwords for the keystore and the private key inside the keystore. I used the following Openssl command to generate my own certificate using my own CA to secure http layer connection of elasticsearch.

  1. generating a key with the password keypass
    openssl genpkey -algorithm RSA -out http.key.pem -pkeyopt rsa_keygen_bits:2048 -aes256 -pass pass:keypass
  2. using the key generated in the previous step to create a csr
    openssl req -new -key http.key.pem -out http.csr.pem -config ./san.conf
  3. then signing the previous step csr with my own CA to create certificate
    openssl ca -in http.csr.pem -out http.crt.pem -config myopenssl.cnf
  4. and then converting key and the crt into a pkcs12 file with the password storepass for the pkcs12 keystore that is going to be generated.
    openssl pkcs12 -export -inkey http.key.pem -in http.crt.pem -out http.keystore.p12

so to summarize i have a key and keystore with two different passowrds

key: http.key.pem ---with--the-password---> "keypass"

keystore: http.keystore.p12 ---with--the-password---> "storepass"

at first i thought i should have set both xpack.security.http.ssl.keystore.secure_password and xpack.security.http.ssl.keystore.secure_key_password for this to work but setting xpack.security.http.ssl.keystore.secure_password ---> storepass and xpack.security.http.ssl.keystore.secure_key_password ---> keypass caused the following error:

failed to load SSL configuration [xpack.security.http.ssl] - cannot load [PKCS12] keystore from [/etc/elasticsearch/certs/mycerts/http.keystore.p12] due to UnrecoverableKeyException

then i removed xpack.security.http.ssl.keystore.secure_key_password entry form kyestore, causing to used the same passowr for both pcks12 and the private key inside it i guess, solved the problem.

So now i am kind of confused how could i set different passwords for a pkcs12 file and the private key inside it? and also when it is necessary to set the xpack.security.http.ssl.keystore.secure_key_password parameter?

Why do step 4?

Elasticsearch is perfectly capable of handling PEM certificates and keys. Is there a reason you're converting them to PKCS#12 - it seems redundant and is just introducing more pain.


But as for your actual question...

openssl pkcs12 will change the password on the private key to match the password of the pkcs#12 keystore. So although the password was keypass when it was a standalone PEM formatted key, the password is changed to storepass when you add it to the keystore.

But that is a specific openssl behaviour. Other tooling (e.g. the JDK's keytool) can store keys with a different password than the keystore's password.