I am confused by how should i handle the passwords for the keystore and the private key inside the keystore. I used the following Openssl command to generate my own certificate using my own CA to secure http layer connection of elasticsearch.
- generating a key with the password keypass
openssl genpkey -algorithm RSA -out http.key.pem -pkeyopt rsa_keygen_bits:2048 -aes256 -pass pass:keypass
- using the key generated in the previous step to create a csr
openssl req -new -key http.key.pem -out http.csr.pem -config ./san.conf
- then signing the previous step csr with my own CA to create certificate
openssl ca -in http.csr.pem -out http.crt.pem -config myopenssl.cnf
- and then converting key and the crt into a pkcs12 file with the password storepass for the pkcs12 keystore that is going to be generated.
openssl pkcs12 -export -inkey http.key.pem -in http.crt.pem -out http.keystore.p12
so to summarize i have a key and keystore with two different passowrds
key: http.key.pem ---with--the-password---> "keypass"
keystore: http.keystore.p12 ---with--the-password---> "storepass"
at first i thought i should have set both xpack.security.http.ssl.keystore.secure_password
and xpack.security.http.ssl.keystore.secure_key_password
for this to work but setting xpack.security.http.ssl.keystore.secure_password ---> storepass
and xpack.security.http.ssl.keystore.secure_key_password ---> keypass
caused the following error:
failed to load SSL configuration [xpack.security.http.ssl] - cannot load [PKCS12] keystore from [/etc/elasticsearch/certs/mycerts/http.keystore.p12] due to UnrecoverableKeyException
then i removed xpack.security.http.ssl.keystore.secure_key_password
entry form kyestore, causing to used the same passowr for both pcks12 and the private key inside it i guess, solved the problem.
So now i am kind of confused how could i set different passwords for a pkcs12 file and the private key inside it? and also when it is necessary to set the xpack.security.http.ssl.keystore.secure_key_password
parameter?