I followed the official guide for the renewal of http.p12 cert for Elasticsearch:
Basic Security Setup with HTTPS
After renewing the http.p12
certificate, we are facing an issue where we cannot generate an enrollment token for both nodes and Kibana.
Unable to create enrollment token for scope [node]
ERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration Keystore doesn't contain any PrivateKey entries where the associated certificate is a CA certificate
Steps followed-
- Encountered an issue during certificate renewal:
- The guide mentions using
elastic-stack-ca.p12
, but we couldn't find this file. - Instead, we passed
http_ca.crt
as the CA certificate. - However, it then asked for the private CA key, which we didn’t have separately.
- To work around this, we exported the private key from the old
http.p12
certificate and used it to generate the newhttp.p12
cert.
- Updated the Elasticsearch configuration (
elasticsearch.yml
) with the new certificate. - Restarted Elasticsearch nodes to apply the changes.
Observations (Comparing Old vs. New http.p12 Certificates):
- Old
http.p12
contained:
- Certificates (3):
http_ca
,http
,CN=Elasticsearch security auto-configuration HTTP CA
- Private Keys (2):
http_ca
,http
- New
http.p12
contains:
- Certificates (2):
CN=Elasticsearch security auto-configuration HTTP CA
,http_ca
- Private Key (1):
http
Key Difference: - In the old
http.p12
,CN=Elasticsearch security auto-configuration HTTP CA
andhttp_ca
were the same. - The new
http.p12
no longer hashttp_ca
as a private key.
Questions-
Since we didn't have elastic-stack-ca.p12
, was it correct to use http_ca.crt
, or should we have created a new CA from scratch?
How can we properly regenerate http.p12
while ensuring it includes the necessary CA private key?
Also please confirm if it is the right process for cert renewal.
Any guidance on resolving this would be highly appreciated. Thanks!