Keytool error: java.io.IOException: Invalid keystore format

I have Elasticsearch 7.17.
Following the generation of new SSL certificates, I have created a new keystore via the command

/usr/share/elasticsearch/bin/elasticsearch-keystore create

and I'm trying to add the CA certificate to it:

keytool -importcert -trustcacerts -noprompt -keystore /etc/elasticsearch/elasticsearch.keystore -file /etc/elasticsearch/certs/ca.crt

However, I get the following error:

keytool error: java.io.IOException: Invalid keystore format

I have converted the CA cert into PKCS12 and tried to import it in such format (ca.p12), since the keystore is defined as of type PKCS12 in /etc/elasticsearch/elasticsearch.yml, but I get the same error.

What's wrong? Thanks in advance.

Excerpts of the /etc/elasticsearch/elasticsearch.yml file:

xpack.security.transport.ssl.keystore.path: elasticsearch.keystore
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.truststore.path: elasticsearch.keystore
xpack.security.transport.ssl.truststore.type: PKCS12
xpack.security.transport.ssl.verification_mode: certificate

The elasticsearch-keystore file is not the a SSL keystore. It is used to store passwords to SSL keystore files. Since keytool is meant to manipulate SSL keystore files, it won't work with elasticsearch.keystore file.

I suggest you have a read on the basic security setup page for details.

As @Yang_Wang said, the elasticsearch-keystore utility is for manipulating a little "database" of mainly usernames and passwords (and maybe something else), while the keytool is a standard Java thing for manipulating a different type of database/keystore.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.