How to get certificate from Windows MY store for ES call in python

(John T) #1

We have a service that connects to Elasticsearch from C# and Python. We are using a reverse proxy with client certificate authentication. From C# we pull the certificate from the local store and include it with the request. I was never able to figure out how to do this from Python (see Connecting to Elasticsearch via Python with SSL and client certificate --> CERTIFICATE_VERIFY_FAILED). I ended up storing the certificate as a pem file and reading that in on the creation of the Elasticsearch client.

I am currently tasked with moving all of our secrets (i.e. keys, certs, connection strings, etc.) out of source code. I have moved everything to Azure KeyVault except the ES client cert in Python (because we access KeyVault with a cert, which again is the same problem). I found that i am able to access the cert

    for cert in store.itercerts(usage=wincertstore.CLIENT_AUTH):
        if cert.get_name() == "xxx":
            cert_pem = cert.get_pem()
            file = open("esCertTest.pem", "w")

            return os.path.realpath(

This works, except... This is just the cert and does not inclde the private key, so the call to ES fails.

I need to find out one of the following:

  • Can I get the private key from the cert I get from wincertstore?
  • If not, by what method can I get a certificate in Python that does not involve storing any secrets in my source code?