Problem with elasticsearch-certutil http and "ca certificate is not a CA" error

Hello, I installed Elasticsearch and Kibana 7.17.5 (windows server 2019).
I followed the directions in the "Set up basic security for the Elastic Stack" and didn't run into problems.
However, when I move on to the setup basic Plus HTTPS traffic, I get an error at the end of the 'elasticsearch-certutil http' process. Specifically: a "main" java.lang.IllegalArgumentException: ca certificate is not a CA!
This happens using the certutil steps from basic.
Googling has not helped with this. Any thoughts?

The error message is pretty telling:

ca certificate is not a CA!

The cert you specified for elasticsearch-certutil http cannot be used as a CA (because it has constraint on path length). What file did you specify as CA for the process? Where does it come from? Did you generate it or did you get it from somewhere else? If it is the same elastic-stack-ca.p12 file from "setup basic security" guide, it should just work.

1 Like

Thank you Yang_Wang. I managed to find that during googling. I originally tried it with a Cert issued by the organization I work for however, when it didn't work, I tried the generic one from the "setup basic security" with the same error resulting.

How did you create the "generic one"? Is it from running ./bin/elasticsearch-certutil ca? I cannot reproduce. If you can share your complete command line trail till the point where you have issue, it could be helpful to diagnose this further.

Doh, that one was on me, I was pointing to the wrong p12 file.
Thanks for your help.