Hello,
I have an application that needs to communicate to Logstash in TLS (one way) secure mode.
More specifically these are the requirements to setup such secured connection:
**Supported certificate format Required file**
Self-signed certificate server.crt (CA signed certificate chain)
server.key (The Logstash server private key file in PEM format)
to accomplish that I have done the following (and as I am not an expert here I am not 100% I have done it correctly.. :-) )
[uuuut@xxxxx1 bin]# **./elasticsearch-certutil cert --pem --out /Logstash_secure**
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.bouncycastle.jcajce.provider.drbg.DRBG (file:/usr/share/ELK-7.5.0/elasticsearch-7.5.0/lib/tools/security-cli/bcprov-jdk15on-1.61.jar) to constructor sun.security.provider.Sun()
...................
...................
**If you specify any of the following options:**
*** -pem (PEM formatted output)**
* -keep-ca-key (retain generated CA key)
* -multiple (generate multiple certificates)
* -in (generate certificates from an input file)
**then the output will be be a zip file containing individual certificate/key files**
**Certificates written to /Logstash_secure**
This file should be properly secured as it contains the private key for
your instance.
After unzipping the file, there will be a directory for each instance.
Each instance has a certificate and private key.
[root@sticking1 /]# **unzip Logstash_secure**
Archive: Logstash_secure
creating: ca/
inflating: ca/ca.crt
creating: instance/
inflating: instance/instance.crt
inflating: instance/instance.key
If I look inside the created certificate by running the command below
[root@sticking1 instance]# **keytool -v -printcert -file instance.crt**
Owner: CN=instance
Issuer: CN=Elastic Certificate Tool Autogenerated CA
Serial number: cb26d7871e034e48d472f75fd80645fd44ca6f17
Valid from: Thu Oct 12 22:48:08 PDT 2023 until: Sun Oct 11 22:48:08 PDT 2026
Certificate fingerprints:
SHA1: F5:45:2B:A4:C4:85:40:6D:16:D8:D6:95:AD:63:1A:D6:5D:32:4D:E9
SHA256: 30:08:7B:49:D5:79:E1:43:E9:24:68:91:95:6C:A8:5F:0E:AF:7D:69:AE:0D:CE:B3:12:A0:D3:91:99:AF:C7:85
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 76 D5 D8 27 D3 86 9A D2 62 65 83 10 28 E2 33 C7 v..'....be..(.3.
0010: 10 5E 0F E2 .^..
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D2 1D C5 DC 47 17 B9 29 C1 76 99 AF 32 A0 84 D7 ....G..).v..2...
0010: E5 09 77 33 ..w3
]
]
there is no alias asscoaited and that makes in troubles because I need to specify certificate alias name when importing this into my application keystore....
Did I do some mistake or misunderstand something here?
Do I need to run the elasticsearch-certutil differently or with some addiotnal params to have the a .pme certificate created and also an alias for it?
Do I have a chance to retrieve or create an alais name for the certificate I have just created?
Thanks in advance
Bye
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.