I'm trying to set the key password for the CA I created, using this command:
certgen --key ca.key --pass
The command fails with the error message:
"Option(s) [key] are unavailable given other options on the command line"
Anyone with an idea of what I'm failing to see here?
Certgen doesn't allow you to change the password on an existing key.
I'm afraid you'll have to use openssl or another similar tool if you want to do that.
I reckoned as much, thanks. I'll see if I can work out a procedure for doing it using openssl and post it here by the end of the day.
Using AES256 key length it fails with a novel exception: "org.bouncycastle.openssl.EncryptionException: exception using cipher - please check password and data."
I have verified that the password was correct - is the AES256 cipher unsupported by certgen? If so, which algorithm should I rather select?
aes128 works.
For reference:
openssl rsa -aes128 -in ca-unencrypted.key -out ca-encrypted.key
Enter passphrase for ca-encrypted.key:
Writing RSA key
And done. Continue using as before.
Request for feature: Implementing a password prompt within certgen would be fabulous, since it would avoid me having to clear my shell history every time I use it. <3
certgen supports password prompting. What exact problem are you running into?
If the --pass option is not (ahem) passed to certgen it fails due to not being able to decrypt key. If this is abnormal I'll be sure to document further.
For posterity, this is what happened after I tried to create a key/cert set after encrypting my CA key using openssl as shown above:
/usr/share/elasticsearch/bin/x-pack/certgen --cert /site/ca/elastic/customer/ca/ca.crt --days 3650 --key /site/ca/elastic/customer/ca/ca-enc.key --keysize 2048 --out /site/ca/elastic/customer/servers.zip
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL in the Elastic stack. Depending on the command
line option specified, you may be prompted for the following:
* The path to the output file
* The output file is a zip file containing the signed certificates and
private keys for each instance. If a Certificate Authority was generated,
the certificate and private key will also be included in the output file.
* Information about each instance
* An instance is any piece of the Elastic Stack that requires a SSL certificate.
Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
may all require a certificate and private key.
* The minimum required value for each instance is a name. This can simply be the
hostname, which will be used as the Common Name of the certificate. A full
distinguished name may also be used.
* A filename value may be required for each instance. This is necessary when the
name would result in an invalid file or directory name. The name provided here
is used as the directory name (within the zip) and the prefix for the key and
certificate files. The filename is required if you are prompted and the name
is not displayed in the prompt.
* IP addresses and DNS names are optional. Multiple values can be specified as a
comma separated string. If no IP addresses or DNS names are provided, you may
disable hostname verification in your SSL configuration.
* Certificate Authority private key password
* The password may be left empty if desired.
Let's get started...
Exception in thread "main" java.lang.IllegalArgumentException: cannot read encrypted key without a password
at org.elasticsearch.xpack.ssl.CertUtils.innerReadPrivateKey(CertUtils.java:259)
at org.elasticsearch.xpack.ssl.CertUtils.readPrivateKey(CertUtils.java:239)
at org.elasticsearch.xpack.ssl.CertificateTool.readPrivateKey(CertificateTool.java:527)
at org.elasticsearch.xpack.ssl.CertificateTool.getCAInfo(CertificateTool.java:328)
at org.elasticsearch.xpack.ssl.CertificateTool.execute(CertificateTool.java:164)
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:67)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:122)
at org.elasticsearch.cli.Command.main(Command.java:88)
at org.elasticsearch.xpack.ssl.CertificateTool.main(CertificateTool.java:146)
Might have been caused by not encrypting the CA key when it was generated? Not sure. Workaround is easy, of course, so no biggie.
Try including --pass without any argument. That will cause certgen to prompt for the password.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.