PKI auth in Elasticsearch - http layer

Hi,

I'm trying to setup PKI for user authentication on the http layer but I always get a "missing authentication credentials for REST request [/_security/_authenticate?pretty]"

After checking the documentation, here are the steps I took:

  1. Downloaded ES and activated the trial. I can now see 'Active license is now [TRIAL]; Security is enabled' on the logs

  2. Generate certificate

elasticsearch-certutil ca
elasticsearch-certutil cert --ca C:/es/elasticsearch-7.6.2/elastic-stack-ca.p12

For the steps above, I kept the default filenames but I added passwords. I also copied the file to <es_dir>/config/certs

  1. Added the following to elasticsearch.yml:
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: C:/es/elasticsearch-7.6.2/config/certs/elastic-certificates.p12
xpack.security.http.ssl.client_authentication: optional
xpack.security.authc.realms.pki.pki1.order: 1
  1. added the password from step 2 to the ES keystore with:

elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password

At this point I can start Elasticsearch and when I access to https://localhost:9200, I get a request to enter username and passwords.

  1. Create a client certificate
    elasticsearch-certutil cert --ca C:/es/elasticsearch-7.6.2/elastic-stack-ca.p12 -name "CN=something,OU=Consulting Team,DC=mydomain,DC=com"

The command above generates a 'client.p12' file

  1. Executed:
openssl pkcs12 -in client.p12 -nocerts -nodes > client.key
openssl pkcs12 -in client.p12 -clcerts -nokeys  > client.cer
openssl pkcs12 -in client.p12 -cacerts -nokeys -chain > client-ca.cer
  1. For testing I used the following command:
    curl https://localhost:9200/_security/_authenticate?pretty --key client.key --cert client.cer --cacert client-ca.cer -k -v

If I use the -u option in the curl command, I get a successful response. Does that mean that the certificates are incorrect? Do you know what am I missing?