Keytool error: Invalid keystore format

I have Elasticsearch 7.17.
Following the generation of new SSL certificates, I have created a new keystore via the command

/usr/share/elasticsearch/bin/elasticsearch-keystore create

and I'm trying to add the CA certificate to it:

keytool -importcert -trustcacerts -noprompt -keystore /etc/elasticsearch/elasticsearch.keystore -file /etc/elasticsearch/certs/ca.crt

However, I get the following error:

keytool error: Invalid keystore format

I have converted the CA cert into PKCS12 and tried to import it in such format (ca.p12), since the keystore is defined as of type PKCS12 in /etc/elasticsearch/elasticsearch.yml, but I get the same error.

What's wrong? Thanks in advance.

Excerpts of the /etc/elasticsearch/elasticsearch.yml file: elasticsearch.keystore PKCS12 elasticsearch.keystore PKCS12 certificate

The elasticsearch-keystore file is not the a SSL keystore. It is used to store passwords to SSL keystore files. Since keytool is meant to manipulate SSL keystore files, it won't work with elasticsearch.keystore file.

I suggest you have a read on the basic security setup page for details.

1 Like

As @Yang_Wang said, the elasticsearch-keystore utility is for manipulating a little "database" of mainly usernames and passwords (and maybe something else), while the keytool is a standard Java thing for manipulating a different type of database/keystore.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.