Help with http certs in elasticsearch

Mary2022 · March 9, 2023, 3:32pm

I used elasticsearch-certutil with my companies CA.jks to create http certificates for my node but I am at the last step to send the output zip file to the path I give I get the following error:

Exception in thread "main" java.lang.IllegalArgumentException: ca certificate is nota CA!

The script I was running:

/usr/share/elasticsearch/bin/elasticsearch-certutil http

What format do we need to use ? The CA we were using was .jks

We have tried so many things and even tried with our own certificates produced by our company and nothing works.

stephenb · March 9, 2023, 4:51pm

Hi @Mary2022 You need your CA to follow this... so .p12 or .pem

See Here

--ca <file_path>
Specifies the path to an existing CA key pair (in PKCS#12 format). This parameter is only applicable to the cert parameter.
--ca-cert <file_path>
Specifies the path to an existing CA certificate (in PEM format). You must also specify the --ca-key parameter. The --ca-cert parameter is only applicable to the cert parameter.

Mary2022 · March 9, 2023, 8:23pm

Stephen,

Let me go back to when we started trying to generate the certificates for our nodes and before we tried multiple combinations/formats.

The CA from my company came in .jks format and when I ran the script below for first time I got an error saying my CA didn't have a key entry.

/usr/share/elasticsearch/bin/elasticsearch-certutil http

Question 1, does it matter if the CA doesn't have a key entry?
Question 2, should we better convert my ca.jks to ca.p12 and then run the script below?

/usr/share/elasticsearch/bin/elasticsearch-certutil --ca /etc/elasticsearch/certs/ca.p12

Question 3, will this (the script above) prompt me for the information needed to create the certificates for my nodes?
Question 4, is another option to run the script below to create the CSR with the ca.p12 to then create the nodes certificates and key?

/usr/share/elasticsearch/bin/elasticsearch-certutil csr

Mary2022 · March 10, 2023, 8:40pm

@stephenb ok I took my jks and converted this one to .p12 using keytool. Then I tried using the elasticsearch-certutil in CERT mode with my CA my organization gave me and I got the error "your CA doesnt have a key entry ". Does a CA requires a key entry?

stephenb · March 10, 2023, 8:45pm

Hi @Mary2022

Apologies but I'm not a low level Cert guru....

I have used our tools to create self-signed CAs and Certs

And I have generated Certs from the normal public authority type like let's encrypt

I'm not sure exactly how to work with your company generated CA. I suspect you may need to ask your cert expert in the company.

Nothing Elastic does is unusual with respect to CAs and Certs

All that said I do believe .p12 must have a key... Again, you probably need to check with your guru.. how to convert your .jks to a .p12 or a .pem + key

TimV · March 12, 2023, 1:11pm

Yes, you need to have the key for the CA.
It isn't possible to use a CA to issue new certificates unless you have the private key.

system · April 9, 2023, 1:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.