Update security certificates with a different CA

I am trying to update new CA which are signed using trusted source given by our organization.
./bin/elasticsearch-certutil cert --ca-cert ca/ca.crt --ca-key ca/ca.key
While trying to create new certificate using the above command I am getting an error :
Exception in thread "main" java.lang.IllegalArgumentException: ca certificate is not a CA!
at org.elasticsearch.xpack.security.cli.CertGenUtils.generateSignedCertificate(CertGenUtils.java:250)
at org.elasticsearch.xpack.security.cli.CertGenUtils.generateSignedCertificate(CertGenUtils.java:191)
at org.elasticsearch.xpack.security.cli.CertGenUtils.generateSignedCertificate(CertGenUtils.java:171)
at org.elasticsearch.xpack.security.cli.CertGenUtils.generateSignedCertificate(CertGenUtils.java:110)
at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.generateCertificateAndKey(CertificateTool.java:864)
at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.generateAndWriteSignedCertificates(CertificateTool.java:839)
at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.execute(CertificateTool.java:716)
at org.elasticsearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:54)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85)
at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:94)
at org.elasticsearch.xpack.security.cli.CertificateTool.execute(CertificateTool.java:160)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85)
at org.elasticsearch.cli.Command.main(Command.java:50)
at org.elasticsearch.launcher.CliToolLauncher.main(CliToolLauncher.java:64)

Any suggestion as we how we can resolve this issue.

It seems that the "CA" you were given isn't actually a CA. You can't use it to issue new certificates.

Thank you Tim for the reply.
So, should we use the main certificate or root certificate when creating certificate for nodes using this command ./bin/elasticsearch-certutil cert --ca-cert ca/ca.crt --ca-key ca/ca.key ?

When we use main certificate we get "ca certificate is not a CA!" error.
But we are able to create new node certificates using the root certificate but we get below error when elasticsearch nodes communicate with logstash and kibana.
[2024-01-31T17:01:17,249][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [xxxxxxxx] http client did not trust this server's certificate, closing connection Netty4HttpChannel{localAddress=/xx.xxx.xx.xxx:9200, remoteAddress=/xx.xxx.xx.xxx:51314}

We are trying to follow the steps mentioned in elastic guide https://www.elastic.co/guide/en/elasticsearch/reference/current/update-node-certs-different.html

So, we are not sure exactly which certificate (main or root) to use when are trying to create new node certificates.

What are those files? Where did they come from?

I don't know what main and root mean to you, so I cannot guess what you should do in this case.

Thanks Tim for the reply.
We have 2 Kibana, 6 elastic and 8 Logstash nodes having different IP address.
The current implementation is that we have generated elastic-stack-ca.p12 and elastic-certificate.p12 file on one of the elastic node which is self-signed and elastic-certificate.p12 is copied to all the other Elasticsearch, Logstash and Kibana nodes for TLS and HTTP communication (The elastic-stack-ca.p12 is only on one of the Elasticsearch node where we are generating the CSR).

Now we want to update this self- signed certificate with a new trusted certificate provided by our organization. For this we need to generate CSR which we will share with our organization.
So, can you please suggest the command that needs to used to generate CSR.

Certutil has a CSR mode if your issuers needs you to generate CSRs, however there's nothing special about those CSRs, so you can generate them with other tooling, or request your certificate through whatever mechanism suits you.