X-Pack Certgen - unable to set key password after creation

(Øystein Larsen) #1

I'm trying to set the key password for the CA I created, using this command:

certgen --key ca.key --pass

The command fails with the error message:

"Option(s) [key] are unavailable given other options on the command line"

Anyone with an idea of what I'm failing to see here?

(Tim Vernum) #2

Certgen doesn't allow you to change the password on an existing key.

I'm afraid you'll have to use openssl or another similar tool if you want to do that.

(Øystein Larsen) #3

I reckoned as much, thanks. I'll see if I can work out a procedure for doing it using openssl and post it here by the end of the day.

(Øystein Larsen) #4

Using AES256 key length it fails with a novel exception: "org.bouncycastle.openssl.EncryptionException: exception using cipher - please check password and data."

I have verified that the password was correct - is the AES256 cipher unsupported by certgen? If so, which algorithm should I rather select?

(Øystein Larsen) #5

aes128 works.

For reference:

openssl rsa -aes128 -in ca-unencrypted.key -out ca-encrypted.key
Enter passphrase for ca-encrypted.key:
Writing RSA key

And done. Continue using as before.

Request for feature: Implementing a password prompt within certgen would be fabulous, since it would avoid me having to clear my shell history every time I use it. <3

(Tim Vernum) #6

certgen supports password prompting. What exact problem are you running into?

(Øystein Larsen) #7

If the --pass option is not (ahem) passed to certgen it fails due to not being able to decrypt key. If this is abnormal I'll be sure to document further.

(Øystein Larsen) #8

For posterity, this is what happened after I tried to create a key/cert set after encrypting my CA key using openssl as shown above:

 /usr/share/elasticsearch/bin/x-pack/certgen --cert /site/ca/elastic/customer/ca/ca.crt --days 3650 --key /site/ca/elastic/customer/ca/ca-enc.key --keysize 2048 --out /site/ca/elastic/customer/servers.zip
    This tool assists you in the generation of X.509 certificates and certificate
    signing requests for use with SSL in the Elastic stack. Depending on the command
    line option specified, you may be prompted for the following:
    * The path to the output file
    * The output file is a zip file containing the signed certificates and
          private keys for each instance. If a Certificate Authority was generated,
          the certificate and private key will also be included in the output file.
    * Information about each instance
    * An instance is any piece of the Elastic Stack that requires a SSL certificate.
          Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
          may all require a certificate and private key.
    * The minimum required value for each instance is a name. This can simply be the
          hostname, which will be used as the Common Name of the certificate. A full
          distinguished name may also be used.
     * A filename value may be required for each instance. This is necessary when the
          name would result in an invalid file or directory name. The name provided here
          is used as the directory name (within the zip) and the prefix for the key and
          certificate files. The filename is required if you are prompted and the name
          is not displayed in the prompt.
     * IP addresses and DNS names are optional. Multiple values can be specified as a
          comma separated string. If no IP addresses or DNS names are provided, you may
          disable hostname verification in your SSL configuration.
    * Certificate Authority private key password
    * The password may be left empty if desired.

    Let's get started...

    Exception in thread "main" java.lang.IllegalArgumentException: cannot read encrypted key without a password
            at org.elasticsearch.xpack.ssl.CertUtils.innerReadPrivateKey(CertUtils.java:259)
            at org.elasticsearch.xpack.ssl.CertUtils.readPrivateKey(CertUtils.java:239)
            at org.elasticsearch.xpack.ssl.CertificateTool.readPrivateKey(CertificateTool.java:527)
            at org.elasticsearch.xpack.ssl.CertificateTool.getCAInfo(CertificateTool.java:328)
            at org.elasticsearch.xpack.ssl.CertificateTool.execute(CertificateTool.java:164)
            at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:67)
            at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:122)
            at org.elasticsearch.cli.Command.main(Command.java:88)
            at org.elasticsearch.xpack.ssl.CertificateTool.main(CertificateTool.java:146)

Might have been caused by not encrypting the CA key when it was generated? Not sure. Workaround is easy, of course, so no biggie.

(Tim Vernum) #9

Try including --pass without any argument. That will cause certgen to prompt for the password.

(system) #10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.