How to change certificate's CN

yeziblo · July 8, 2019, 9:37am

Hi everyone,

I generated the CA and Certs as suggested by the docs:

bin/elasticsearch-certutil ca
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

I found that the CN of the certificate is "instance".

My hostname is not "instance", So I have to add content to the code:

setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE)

My question is: How to change the CN of certificate?

I tried to use the following command:

./bin/elasticsearch-certutil cert --ca config/cert/elastic-ca.p12 --ca-dn "CN=hadoop-1"

And I get a error:

ERROR: Option(s) [ca-dn] are unavailable given other options on the command line

I tried to use the following command:
./bin/elasticsearch-certutil cert --ca config/cert/elastic-ca.p12 --name hadoop-1

and the certificate info:

Bag Attributes
friendlyName: hadoop-1
subject=/CN=hadoop-1
issuer=/CN=Elastic Certificate Tool Autogenerated CA

It seems that CN has been changed, but my program still got errors:

javax.net.ssl.SSLPeerUnverifiedException: Host name 'hadoop-1' does not match the certificate subject provided by the peer (CN=instance)

Thanks and Best regards!

TimV · July 9, 2019, 9:19am

That is not correct. You don't want to set the CN to your hostname, you want add a DNS tagged, Subject Alternative Name to your certificate.

The certutil documentation describes the --dns option that you should use.

yeziblo · July 9, 2019, 9:31am

Hi @TimV,

I know what the problem is,

I created a certificate using "./bin/elasticsearch-certutil cert --ca config/cert/elastic-ca.p12" command, then put it in the /es/config directory,

In this case, no matter how I set up my DNS in cert command for other certificate , it does not works.

TimV · July 9, 2019, 11:21am

I don't follow.

You say you know what the problem is, but that it does not work.

Can you provide the exact commands that you are running, and the exact circumstances under which you get the error?

yeziblo · July 10, 2019, 6:30am

Sorry, I didn't make myself clear.

I created a certificate using "./bin/elasticsearch-certutil cert --ca config/cert/elastic-ca.p12" command( without --dns ), then put it in the /es/config directory.

After that, I created another certificate using "./bin/elasticsearch-certutil cert --ca config/cert/elastic-ca.p12 --dns ", this certificate was used by my application to connect to ES.

Because of the first certificate in /es/config/ directory did not have dns, my application could not connect to ES even though the app's certificate have dns.

My solution is:

Replace the certificate without dns in /es/config/ directory with a new certificate that have dns.

And then my application can connect to ES.

Sorry, I don't speak English very well.

Thanks for your patience and best regards.

system · August 7, 2019, 6:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.