What is the usecasae of --ca-dn when using elasticsearch-certutil utility

jack_a · February 24, 2025, 7:38pm

the --ca-dn option while using cert seems to only be applicable with --self-signed option, for example

./elasticsearch-certutil cert --self-signed --ca-dn xyz --pem --out /usr/share/elasticsearch/bin/test/out5.zip

But in this case when i check the generated cert content for example with the command

openssl x509 -in instance.crt -text -noout

Both issuer CN and subject CN is set as instance . Can you please show me with an example what it is the use case of --ca-dn when using cert command and which part of the certificated is effected by the parameter?

TimV · February 24, 2025, 11:32pm

It doesn't do anything useful in current versions of certutil

In older versions it was possible to generate a CA on the fly while you generated certificates, but that option has been removed.

jack_a · February 25, 2025, 5:31am

Thanks. It would be nice if the option would not show up when you run elasticsearch-certutil cert --help (it is kind of confusing) but anyway thanks for the reply.

Topic		Replies	Views
Elasticsearch-certutil parameters Elasticsearch	2	477	December 20, 2022
ES Certutil - cert or ca? Elasticsearch	1	434	August 10, 2018
How to change certificate's CN Elasticsearch	5	2478	August 7, 2019
ELastic-CertUtil erro trying to create Certificate-authorities, .crt, .key Elasticsearch elastic-stack-security	6	473	July 1, 2023
Elasticsearch-certutil - can it access keystore? Elasticsearch elastic-stack-security	2	663	June 25, 2019

What is the usecasae of --ca-dn when using elasticsearch-certutil utility

Related topics