I used elasticsearch-certutil with my companies CA.jks to create http certificates for my node but I am at the last step to send the output zip file to the path I give I get the following error:
Exception in thread "main" java.lang.IllegalArgumentException: ca certificate is nota CA!
--ca <file_path>
Specifies the path to an existing CA key pair (in PKCS#12 format). This parameter is only applicable to the cert parameter. --ca-cert <file_path>
Specifies the path to an existing CA certificate (in PEM format). You must also specify the --ca-key parameter. The --ca-cert parameter is only applicable to the cert parameter.
@stephenb ok I took my jks and converted this one to .p12 using keytool. Then I tried using the elasticsearch-certutil in CERT mode with my CA my organization gave me and I got the error "your CA doesnt have a key entry ". Does a CA requires a key entry?
I have used our tools to create self-signed CAs and Certs
And I have generated Certs from the normal public authority type like let's encrypt
I'm not sure exactly how to work with your company generated CA. I suspect you may need to ask your cert expert in the company.
Nothing Elastic does is unusual with respect to CAs and Certs
All that said I do believe .p12 must have a key... Again, you probably need to check with your guru.. how to convert your .jks to a .p12 or a .pem + key
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.