What is the usecasae of --ca-dn when using elasticsearch-certutil utility

jack_a · February 24, 2025, 7:38pm

the --ca-dn option while using cert seems to only be applicable with --self-signed option, for example

./elasticsearch-certutil cert --self-signed --ca-dn xyz --pem --out /usr/share/elasticsearch/bin/test/out5.zip

But in this case when i check the generated cert content for example with the command

openssl x509 -in instance.crt -text -noout

Both issuer CN and subject CN is set as instance . Can you please show me with an example what it is the use case of --ca-dn when using cert command and which part of the certificated is effected by the parameter?

TimV · February 24, 2025, 11:32pm

It doesn't do anything useful in current versions of certutil

In older versions it was possible to generate a CA on the fly while you generated certificates, but that option has been removed.

jack_a · February 25, 2025, 5:31am

Thanks. It would be nice if the option would not show up when you run elasticsearch-certutil cert --help (it is kind of confusing) but anyway thanks for the reply.

Topic		Replies	Views
ES Certutil - cert or ca? Elasticsearch	1	446	August 10, 2018
How to set friendly name of ca certificate generated by elasticsearch-certutil tool Elasticsearch elastic-stack-security	2	918	March 28, 2019
How to change certificate's CN Elasticsearch	5	2560	August 7, 2019
Create more certs with same CA file using certgen utility Elasticsearch	2	1759	September 22, 2017
SSL certificate \| Let's Encrypt or self-signed Elasticsearch elastic-stack-security	9	5440	December 12, 2019

What is the usecasae of --ca-dn when using elasticsearch-certutil utility

Related topics