Logstash PKI : Why does Logstash rely on optionnal metadata (Bag Attributes)?

I renewed my Logstash PKI but when re-deploying all the client certificates to my Beats, they all encountered the following error :

`ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(async(tcp://logstash.example.com:5044)): tls: invalid signature by the server certificate: crypto/rsa: verification error`

After checking with another PKI (this one was still valid and in order), the only difference was that when renewing I had lost the Bag attributes metadata in the certificates. At first, I didn't think this could be the issue because these are supposed to be optional. But when I finally decided to give it a try by including the Bag Attributes, it worked and my Beats were able to send to Logstash. I wanted to raise this issue for anyone struggling like I did, and I hope we can get someone to clarify this. Maybe there's a reason for it but I think it should at least be mentioned in the documentation.

There are different types of certificates, for example the X.509 certificate type generated by
OpenSSL stored in PEM-format (pem file extension) does not use BagAttributes. Then you have the PKCS formats like PKCS#12 object format (p12/ / pfx file extension) which is defined in RFC7292 and this format uses BagAttributes. Logstash is written in Java and java uses PKCS fomat for it's certificates, see logstash/logstash-core/src/main/java/org/logstash/secret/store/backend/JavaKeyStore.java at f9d8b771e565bfe35fc71e72ae389eaa3df26d03 · elastic/logstash · GitHub

So that's why BagAttributes are required fr the PFX file.

I hope this clears up a few things. You can read more about PKI here: Everything you should know about certificates and PKI but are too afraid to ask