I am trying to update new CA which are signed using trusted source given by our organization.
./bin/elasticsearch-certutil cert --ca-cert ca/ca.crt --ca-key ca/ca.key
While trying to create new certificate using the above command I am getting an error :
Exception in thread "main" java.lang.IllegalArgumentException: ca certificate is not a CA!
at org.elasticsearch.xpack.security.cli.CertGenUtils.generateSignedCertificate(CertGenUtils.java:250)
at org.elasticsearch.xpack.security.cli.CertGenUtils.generateSignedCertificate(CertGenUtils.java:191)
at org.elasticsearch.xpack.security.cli.CertGenUtils.generateSignedCertificate(CertGenUtils.java:171)
at org.elasticsearch.xpack.security.cli.CertGenUtils.generateSignedCertificate(CertGenUtils.java:110)
at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.generateCertificateAndKey(CertificateTool.java:864)
at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.generateAndWriteSignedCertificates(CertificateTool.java:839)
at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.execute(CertificateTool.java:716)
at org.elasticsearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:54)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85)
at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:94)
at org.elasticsearch.xpack.security.cli.CertificateTool.execute(CertificateTool.java:160)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85)
at org.elasticsearch.cli.Command.main(Command.java:50)
at org.elasticsearch.launcher.CliToolLauncher.main(CliToolLauncher.java:64)
Any suggestion as we how we can resolve this issue.
Thank you Tim for the reply.
So, should we use the main certificate or root certificate when creating certificate for nodes using this command ./bin/elasticsearch-certutil cert --ca-cert ca/ca.crt --ca-key ca/ca.key ?
When we use main certificate we get "ca certificate is not a CA!" error.
But we are able to create new node certificates using the root certificate but we get below error when elasticsearch nodes communicate with logstash and kibana.
[2024-01-31T17:01:17,249][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [xxxxxxxx] http client did not trust this server's certificate, closing connection Netty4HttpChannel{localAddress=/xx.xxx.xx.xxx:9200, remoteAddress=/xx.xxx.xx.xxx:51314}
Thanks Tim for the reply.
We have 2 Kibana, 6 elastic and 8 Logstash nodes having different IP address.
The current implementation is that we have generated elastic-stack-ca.p12 and elastic-certificate.p12 file on one of the elastic node which is self-signed and elastic-certificate.p12 is copied to all the other Elasticsearch, Logstash and Kibana nodes for TLS and HTTP communication (The elastic-stack-ca.p12 is only on one of the Elasticsearch node where we are generating the CSR).
Now we want to update this self- signed certificate with a new trusted certificate provided by our organization. For this we need to generate CSR which we will share with our organization.
So, can you please suggest the command that needs to used to generate CSR.
Certutil has a CSR mode if your issuers needs you to generate CSRs, however there's nothing special about those CSRs, so you can generate them with other tooling, or request your certificate through whatever mechanism suits you.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.