How to use pfx file with certutil

(Stephen Patten) #1


I have a pfx file from my IT dept to use in one of our environments, can I use that, or convert it to a format suitable for use with certutil?

Total noob question, sorry

Thank you,

(Tim Vernum) #2

A pfx file is Microsoft's name for a PKCS#12 file (the history is a little more complicated than that, but you can read it on Wikipedia if you care)

X-Pack supports PCKS#12 as of Elasticsearch v6.0 by treating them as a keystore (or truststore)

(Stephen Patten) #3

Hey Tim,

Thanks again for jumping in.

If I went that route, what would change in this documentation then? This blog post is becoming the basis for my deployment run-book, would you be able to tell me where the setup would differ? Sounds like I can use these files end to end too , correct?

(Tim Vernum) #4

Sorry for the delay in getting back to you.

If you want to convert PKCS#12 file to PEM format, you can, but you need to use openssl.
certutil doesn't have any file conversion functions.

For which purposes do you intend to use the certificate that your IT dept provided?

  • internal cluster traffic (transport interface) ?
  • API traffic (http interface) ?
  • Kibana ?
  • Logstash ?
  • Beats ?

For anything within Elasticsearch you can just switch in ssl.keystore.path everywhere the blog post suggests using ssl.certificate and ssl.key.
Depending on what's in the .pfx file, you may also want to set ssl.truststore.path instead of ssl.certificate_authorities, but I can't be sure without knowing what your PKCS#12 file contains.


xpack.ssl.key: certs/node1.key
xpack.ssl.certificate: certs/node1.crt
xpack.ssl.certificate_authorities: certs/ca.crt

could become

xpack.ssl.keystore.path: certs/elasticsearch.pfx
xpack.ssl.certificate_authorities: certs/corporate-ca.crt


xpack.ssl.keystore.path: certs/elasticsearch.pfx
xpack.ssl.truststore.path: certs/elasticsearch.pfx

or even

xpack.ssl.keystore.path: certs/elasticsearch.pfx
xpack.ssl.truststore.path: certs/corporate-ca.pfx

It just depends. Sorry I can't be more helpful. Setting up TLS can be not-too-painful if you get to control the whole process, but once corporate CAs get involved, it introduces a lot of variables, and it's hard to define a precise process.

I would start by looking at the contents of the pfx file. If you have access to openssl, then you can do:

openssl pkcs12 -in elasticsearch.pfx -nodes

If not, then java's keytool can do an adequate (but not great) job:

keytool -list -keystore elasticsearch.pfx 

(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.