I followed the official guide for the renewal of http.p12 cert for Elasticsearch:
Basic Security Setup with HTTPS
After renewing the http.p12 certificate, we are facing an issue where we cannot generate an enrollment token for both nodes and Kibana.
Unable to create enrollment token for scope [node]
ERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration Keystore doesn't contain any PrivateKey entries where the associated certificate is a CA certificate
Steps followed-
- Encountered an issue during certificate renewal:
- The guide mentions using
elastic-stack-ca.p12, but we couldn't find this file. - Instead, we passed
http_ca.crtas the CA certificate. - However, it then asked for the private CA key, which we didn’t have separately.
- To work around this, we exported the private key from the old
http.p12certificate and used it to generate the newhttp.p12cert.
- Updated the Elasticsearch configuration (
elasticsearch.yml) with the new certificate. - Restarted Elasticsearch nodes to apply the changes.
Observations (Comparing Old vs. New http.p12 Certificates):
- Old
http.p12contained:
- Certificates (3):
http_ca,http,CN=Elasticsearch security auto-configuration HTTP CA - Private Keys (2):
http_ca,http
- New
http.p12contains:
- Certificates (2):
CN=Elasticsearch security auto-configuration HTTP CA,http_ca - Private Key (1):
http
Key Difference: - In the old
http.p12,CN=Elasticsearch security auto-configuration HTTP CAandhttp_cawere the same. - The new
http.p12no longer hashttp_caas a private key.
Questions-
Since we didn't have elastic-stack-ca.p12, was it correct to use http_ca.crt, or should we have created a new CA from scratch?
How can we properly regenerate http.p12 while ensuring it includes the necessary CA private key?
Also please confirm if it is the right process for cert renewal.
Any guidance on resolving this would be highly appreciated. Thanks!