Store certificated in keystore

If i properly understood this doc and especially this paragraph:

The elasticsearch-certutil outputs a PKCS#12 keystore which includes the CA certificate as a trusted certificate entry. This allows for the keystore to also be used as a truststore. In this case, the path value should match the keystore.path value. Note, however, that this is not the general rule. There are keystores that cannot be used as truststores, only specifically crafted ones can

The keystore can also be used as truststore. In this keystore we store the certificate password. And i was wondering why we could not store the certificate itself in the keystore, instead of storing it on the node and explicitng a path to look for this certificate ?
Maybe i dont properly understand the role of the keystore, could you enlighten me about this matter ?

Unfortunately we have overlapping names that can sometimes be confusing.

Within Elasticsearch's certificate configuration, a file that can store a collection of certificates along with their private keys is known as a KeyStore (which is the terminology that Java uses). Such keystores are typically in PKCS#12 or JKS format.

A file that can store a collection of trusted certificates (typically CAs), without their private keys, is known as a TrustStore (also a terminology from Java). Generally, keystores and truststores use the same file format, so most truststores are also in PKCS#12 or JKS fomat.

Because these files (both keystores and truststores) are collections of certificates - that is, they can contain many certificates - it is possible for a single file to contain private key entries (that is, a certificate + private key) and trusted certificate entries (that is, public certificates without keys) at the same time, which makes it both a keystore and a truststore, and you can use it for either, or both.

Elasticsearch also has a file in its configuration directory called elasticsearch.keystore, and you can view and modify the contents of that file via the elasticsearch-keystore command. That "keystore" stores "secrets" like passwords, and is not the same type of keystore as a certificate keystore described above. It isn't in a standard format (that is, it is not PKCS#12 or JKS) and most of the time it doesn't store "private keys" just "secrets".

The elasticsearch.keystore cannot be used as a keystore, nor a truststore, for configuring SSL. All SSL certificates + keys need to be stored on the filesystem in either a certificate keystore (PKCS#12 or JKS) or as individual files in PEM format (.crt, .key, .pem, etc).

1 Like

Hello Mr V,
Your answer is amazing, I understood everything!
Thanks a lot for your time,
Have a great day!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.