SSL/TLS setup with PKCS8 keys


I'm trying to set up SSL/TLS with x-pack and running into this when I point to pem encoded files:

java.lang.IllegalArgumentException: parsed an unsupported object [PKCS8EncryptedPrivateKeyInfo]
at org.elasticsearch.xpack.ssl.CertUtils.readPrivateKey( ~[?:?]
at org.elasticsearch.xpack.ssl.PEMKeyConfig.readPrivateKey( ~[?:?]

elasticsearch.yml includes all of these settings
xpack.ssl.key: /path/to/cakey.pem
xpack.ssl.key_passphrase: password
xpack.ssl.certificate: /path/to/01.pem
xpack.ssl.certificate_authorities: [ "/path/to/cacert.pem" ]

When I use certgen to generate CA & node certificates I get PKCS1 keys, and pointing to them in elasticsearch.yml works fine. How can I use keys/certs that were generated this way: ?


Certgen is the recommended approach to generating certificates for Elasticsearch 5.x with X-Pack. If you are able to use certificates from certgen, that will be the most straightforward approach.

Can you explain why you want to use the old (shield) method?

These don't seem quite right. You have the key pointing to the CA key, but the certificate pointing to 01.
xpack.ssl.key should be pointing to 01.key (or perhaps 01key.pem, depending on how it was named)

My guess if that this is caused by the same problem as above - you've gotten your key and cert files mixed up somewhere along the way.


This should be the (public) certificate for your node.
The first line of that file should say: -----BEGIN CERTIFICATE-----


This should be the key for the certificate above.
The first line of that file should say: -----BEGIN RSA PRIVATE KEY-----


This is the passphrase for the key above.


These should be the (public) certificates for each of the CAs that you wish to trust.
The first line of each file should say: -----BEGIN CERTIFICATE-----

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.