For posterity, this is what happened after I tried to create a key/cert set after encrypting my CA key using openssl as shown above:
/usr/share/elasticsearch/bin/x-pack/certgen --cert /site/ca/elastic/customer/ca/ca.crt --days 3650 --key /site/ca/elastic/customer/ca/ca-enc.key --keysize 2048 --out /site/ca/elastic/customer/servers.zip
This tool assists you in the generation of X.509 certificates and certificate
signing requests for use with SSL in the Elastic stack. Depending on the command
line option specified, you may be prompted for the following:
* The path to the output file
* The output file is a zip file containing the signed certificates and
private keys for each instance. If a Certificate Authority was generated,
the certificate and private key will also be included in the output file.
* Information about each instance
* An instance is any piece of the Elastic Stack that requires a SSL certificate.
Depending on your configuration, Elasticsearch, Logstash, Kibana, and Beats
may all require a certificate and private key.
* The minimum required value for each instance is a name. This can simply be the
hostname, which will be used as the Common Name of the certificate. A full
distinguished name may also be used.
* A filename value may be required for each instance. This is necessary when the
name would result in an invalid file or directory name. The name provided here
is used as the directory name (within the zip) and the prefix for the key and
certificate files. The filename is required if you are prompted and the name
is not displayed in the prompt.
* IP addresses and DNS names are optional. Multiple values can be specified as a
comma separated string. If no IP addresses or DNS names are provided, you may
disable hostname verification in your SSL configuration.
* Certificate Authority private key password
* The password may be left empty if desired.
Let's get started...
Exception in thread "main" java.lang.IllegalArgumentException: cannot read encrypted key without a password
Might have been caused by not encrypting the CA key when it was generated? Not sure. Workaround is easy, of course, so no biggie.