How to get certificate from Windows MY store for ES call in python

We have a service that connects to Elasticsearch from C# and Python. We are using a reverse proxy with client certificate authentication. From C# we pull the certificate from the local store and include it with the request. I was never able to figure out how to do this from Python (see Connecting to Elasticsearch via Python with SSL and client certificate --> CERTIFICATE_VERIFY_FAILED). I ended up storing the certificate as a pem file and reading that in on the creation of the Elasticsearch client.

I am currently tasked with moving all of our secrets (i.e. keys, certs, connection strings, etc.) out of source code. I have moved everything to Azure KeyVault except the ES client cert in Python (because we access KeyVault with a cert, which again is the same problem). I found that i am able to access the cert

    for cert in store.itercerts(usage=wincertstore.CLIENT_AUTH):
        if cert.get_name() == "xxx":
            cert_pem = cert.get_pem()
            file = open("esCertTest.pem", "w")

            return os.path.realpath(

This works, except... This is just the cert and does not inclde the private key, so the call to ES fails.

I need to find out one of the following:

  • Can I get the private key from the cert I get from wincertstore?
  • If not, by what method can I get a certificate in Python that does not involve storing any secrets in my source code?


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.