Help with http certs in elasticsearch

Elastic Stack Elasticsearch
1

I used elasticsearch-certutil with my companies CA.jks to create http certificates for my node but I am at the last step to send the output zip file to the path I give I get the following error:

Exception in thread "main" java.lang.IllegalArgumentException: ca certificate is nota CA!

The script I was running:

/usr/share/elasticsearch/bin/elasticsearch-certutil http

What format do we need to use ? The CA we were using was .jks

We have tried so many things and even tried with our own certificates produced by our company and nothing works.

2

Hi @Mary2022 You need your CA to follow this... so .p12 or .pem

See Here

--ca <file_path>
Specifies the path to an existing CA key pair (in PKCS#12 format). This parameter is only applicable to the cert parameter.
--ca-cert <file_path>
Specifies the path to an existing CA certificate (in PEM format). You must also specify the --ca-key parameter. The --ca-cert parameter is only applicable to the cert parameter.

3

Stephen,

Let me go back to when we started trying to generate the certificates for our nodes and before we tried multiple combinations/formats.

The CA from my company came in .jks format and when I ran the script below for first time I got an error saying my CA didn't have a key entry.

/usr/share/elasticsearch/bin/elasticsearch-certutil http

  • Question 1, does it matter if the CA doesn't have a key entry?

  • Question 2, should we better convert my ca.jks to ca.p12 and then run the script below?

/usr/share/elasticsearch/bin/elasticsearch-certutil --ca /etc/elasticsearch/certs/ca.p12

  • Question 3, will this (the script above) prompt me for the information needed to create the certificates for my nodes?

  • Question 4, is another option to run the script below to create the CSR with the ca.p12 to then create the nodes certificates and key?

/usr/share/elasticsearch/bin/elasticsearch-certutil csr
4

@stephenb ok I took my jks and converted this one to .p12 using keytool. Then I tried using the elasticsearch-certutil in CERT mode with my CA my organization gave me and I got the error "your CA doesnt have a key entry ". Does a CA requires a key entry?

5

Hi @Mary2022

Apologies but I'm not a low level Cert guru....

I have used our tools to create self-signed CAs and Certs

And I have generated Certs from the normal public authority type like let's encrypt

I'm not sure exactly how to work with your company generated CA. I suspect you may need to ask your cert expert in the company.

Nothing Elastic does is unusual with respect to CAs and Certs

All that said I do believe .p12 must have a key... Again, you probably need to check with your guru.. how to convert your .jks to a .p12 or a .pem + key

6

Yes, you need to have the key for the CA.
It isn't possible to use a CA to issue new certificates unless you have the private key.

1 Like
7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.