After a lot of digging, I finally managed to get it to work, I am leaving the way I did it here for anyone facing the same issue I had:
- use the following command to generate a new http keystore
./bin/elasticsearch-certutil http
./bin/elasticsearch-certutil http
Generate a CSR? [y/N] N
Use an existing CA? [y/N] N
Do you wish to change any of these options? [y/N] y
CA Name [CN=Elasticsearch HTTP CA] [server-ip-address]
CA Validity [5y] 60y
We recommend that you use one of 2048, 3072 or 4096 bits for your key.
Key Size [2048] [ENTER]
Do you wish to change any of these options? [y/N] [N]
CA password: [<ENTER> for none] 123456
Repeat password to confirm: 123456
For how long should your certificate be valid? [5y] [ENTER]
Generate a certificate per node? [y/N]N
Enter all the hostnames that you need, one per line.
When you are done, press <ENTER> once more to move on to the next step.
[server-ip-address]:[port]
You entered the following hostnames.
- [server-ip-address]
Is this correct [Y/n]Y
Key Name: [info]
Subject DN: CN=[info], DC=[info], DC=[info]
Key Size: 2048
Do you wish to change any of these options? [y/N]N
If you wish to use a blank password, simply press <enter> at the prompt below.
Provide a password for the "http.p12" file: [<ENTER> for none] 123456
Repeat password to confirm: 123456
What filename should be used for the output zip file? [/usr/share/elasticsearch/elasticsearch-ssl-http.zip] [ENTER]
Zip file written to [docker-cotainer]:/usr/share/elasticsearch/elasticsearch-ssl-http.zip
exit the container after you finish using the command exit
- Move the zip file outside the docker container using the following command:
docker cp [container-name]:/usr/share/elasticsearch/**elasticsearch-ssl-http.zip .**
It is important to move the file outside the docker container so we can manipulate it with the linux commands that do not exist inside the docker container itself.
- Unzip the default file:
elasticsearch-ssl-http.zip
using the unzip
linux library with this command:
unzip elasticsearch-ssl-http.zip
In case the unzip linux library does not exist, you need to install it, using the command
sudo apt install unzip
- After you unzip the files, we want its content, the
http.p12
found in the path /elasticsearch/
, we want to replace the default http.p12
in the docker image in config/certs/http.p12
with the one in the unziped folder at elasticsearch/http.p12
. To replace folders in any docker container: just copy over it
using the docker cp
command:
docker cp [name-of-the-file-we-want-to-copy] [dokcer-container-name]:/usr/share/elasticsearch/config/certs/http.p12
- Re-eneter the docker container(like we did in step 1) and Change the default password of the replaced default http.p12 keystore, using the following command
./bin/elasticsearch-keystore add "xpack.security.http.ssl.keystore.secure_password"
exit the container after you finish using the command exit
- Do not forget to restart the docker container so changes can take effect
docker restart [name-of-container]
- Generate the
.pem
file to use in external clients, using this command:
openssl pkcs12 -nodes -in http.p12 -out http.pem
- Open the generated
.pem
file using the following command:
cat http.pem
Copy the contained charachters to the java client, and make sure its in a straight line(minified), I usually do it by copying and pasting it in google chrome searchbar which condenses it.