P12 certificate is protected by password

Hi all ,

My ES cluster containing 3 Master and 2 Data nodes. I have 5 p12 certificates for SSL. All p12 certificates are password protected. May I use these password protected certificates in cluster . When I am enabled SSL by this certificates showing some errors.


You can definitely use password protected PKCS12 stores with Elasticsearch. See also our settings reference

Please share some additional information with us:

  • how did you create these five p12 files
  • what is the error you're getting

This will hopefully enable someone to offer some meaningful feedback and assist you overcoming your problem !

1 Like

These certificates provide from company . With password . They brought from CA companies

Hi Rijin,

Please share the error message you're getting as without this we can only guess and it will be really difficult to assist you in a meaningful way.

1 Like

Commercially provided PKCS#12 files typically contain cert+key pairs only, and do not contain any trust entries.

If you are attempting to use the file as a truststore then that is not likely to work.

1 Like

My COnf:
xpack.security.enabled: true
xpack.ssl.keystore.path: /etc/elasticsearch/certs/xyz.p12
xpack.ssl.keystore.type: PKCS12
xpack.ssl.keystore.password: 1b7f669
xpack.ssl.truststore.path: /etc/elasticsearch/certs/xyz.p12
xpack.ssl.truststore.type: PKCS12

xz.p12 and the decryption password 1b7f669 is provided by company.

Error log:

Caused by: java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2059) ~[?:?]
at java.security.KeyStore.load(KeyStore.java:1445) ~[?:1.8.0_181]
at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readKeyStore(CertParsingUtils.java:71) ~[?:?]
at org.elasticsearch.xpack.core.ssl.CertParsingUtils.trustManager(CertParsingUtils.java:267) ~[?:?]
at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:58) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:355) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:388) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.(SSLService.java:92) ~[?:?]
at org.elasticsearch.xpack.core.XPackPlugin.(XPackPlugin.java:130) ~[?:?]
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_181]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:598) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:549) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:464) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.plugins.PluginsService.(PluginsService.java:156) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.node.Node.(Node.java:315) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.node.Node.(Node.java:256) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:326) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:136) ~[elasticsearch-6.4.2.jar:6.4.2]
... 6 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

You have set xpack.ssl.keystore.password but not xpack.ssl.truststore.password

1 Like


That means remove xpack.ssl.truststore.password ?

No, the configuration file you posted does not have an entry for xpack.ssl.truststore.password

1 Like

Ok Tim.

I am checking with new conf. Avoided truststore part

Hi Tim ,

I am tried with below mentioning conf. Its working. ( Data node IP:

xpack.security.enabled: true
xpack.ssl.keystore.path: /etc/elasticsearch/certs/xyz.p12
xpack.ssl.keystore.type: PKCS12
xpack.ssl.keystore.password: 1b7f669

But from kibana ...

elasticsearch.url: "" is not working. No live connection showing in log.
elasticsearch.url: "" is connecting to elasticsearch .

Why ?

It appears that you have not enabled TLS on the http port


1 Like

Hi TIm when I am added the line "xpack.security.http.ssl.enabled: true" to ES cluster yml files

all 3 master nodes and 1 data node working well .

but only one data node showing this error

io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record:

][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [xyzzzz.corp.internal] caught exception while handling client http traffic, closing connection [id: 0x4b6f4330, L: ! R:/]


This is a warning. Warnings can represent something significant, but they typically telling you about something that isn't preventing the cluster from functioning, but may not be working the way you expected/wanted it to.


This error is relating to HTTP traffic.

not an SSL/TLS record

The HTTP interface is expecting SSL requests, but it received something that was not an SSL record.


This was received on port 9200 on the local machine


This was received from the Remote host:

In short, something on is trying to connect over http rather than https.

1 Like

Thanks tim ... is logstash ... I WILL CHANGE logstash outout to https(Now it is http).

The "not an SSL/TLS record" issue from kibana connection to Data node.

My kibana conf:

lasticsearch.ssl.verificationMode: certificate
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/xyz.crt
server.ssl.key: /etc/kibana/certs/xyz.key

Is it ok ?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.