Unable to Create Enrollment Token After http.p12 Certificate Renewal

I followed the official guide for the renewal of http.p12 cert for Elasticsearch:
Basic Security Setup with HTTPS

After renewing the http.p12 certificate, we are facing an issue where we cannot generate an enrollment token for both nodes and Kibana.

Unable to create enrollment token for scope [node]

ERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration Keystore doesn't contain any PrivateKey entries where the associated certificate is a CA certificate

Steps followed-

  1. Encountered an issue during certificate renewal:
  • The guide mentions using elastic-stack-ca.p12, but we couldn't find this file.
  • Instead, we passed http_ca.crt as the CA certificate.
  • However, it then asked for the private CA key, which we didn’t have separately.
  • To work around this, we exported the private key from the old http.p12 certificate and used it to generate the new http.p12 cert.
  1. Updated the Elasticsearch configuration (elasticsearch.yml) with the new certificate.
  2. Restarted Elasticsearch nodes to apply the changes.

Observations (Comparing Old vs. New http.p12 Certificates):

  1. Old http.p12 contained:
  • Certificates (3): http_ca, http, CN=Elasticsearch security auto-configuration HTTP CA
  • Private Keys (2): http_ca, http
  1. New http.p12 contains:
  • Certificates (2): CN=Elasticsearch security auto-configuration HTTP CA, http_ca
  • Private Key (1): http
    Key Difference:
  • In the old http.p12, CN=Elasticsearch security auto-configuration HTTP CA and http_ca were the same.
  • The new http.p12 no longer has http_ca as a private key.

Questions-
Since we didn't have elastic-stack-ca.p12, was it correct to use http_ca.crt, or should we have created a new CA from scratch?

How can we properly regenerate http.p12 while ensuring it includes the necessary CA private key?

Also please confirm if it is the right process for cert renewal.

Any guidance on resolving this would be highly appreciated. Thanks!