Windows CA Certificates

michael.anderton · June 2, 2022, 7:40pm

Hello,

I have been banging my head against the wall for days now about this.

I am using docker-compose to run opensearch. I am trying to replace the demo certificates with certificates generated by the CA on our Domain Controller, I am not generating certificates with openssl or any other command line utility. I used the generic web server template with extended key usage for Server Authentication and Client Authentication. I then exported the .pfx file and extracted the certificate into pem format. I have also extracted the private key into pem format. I then converted the private key to pkcs8 unencrypted. When I run docker-compose up the node1 logs tell me “Extended key usage does not permit use for TLS client authentication”.

I have gone over this numerous times and generated several certificates with different extended key usages in place (Server Authentication only, Client Authentication only, Server/Client Authentication). There has to be something I am missing.

Has anybody successfully installed certificates generated by Windows CA?

I am not using a keystore. I am placing the certificates in the same directory as the dockery-compose file and referencing them in the volumes block of the docker-compose file. I am also using a custom opensearch.yml file that I am referencing in the docker-compose file.

Gsmitt · June 4, 2022, 4:17am

Hello,

What documentation was used for you certificates configurations?

Active Directory and LDAP - OpenSearch documentation

pablo · June 10, 2022, 1:42pm

@michael.anderton Could you run the below command against one of your test certificates and share the key usage and the extended key usage?

openssl -x509 -in <test_node_cert> -text -noout

michael.anderton · August 10, 2022, 2:16pm

@pablo It would seem as though the CA is not adding client auth to my key usage as I am wanting it to.

X509v3 extensions:
            1.3.6.1.4.1.311.21.7:
                0..&+.....7.....:...c.......a.....?...|..`..d...
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            1.3.6.1.4.1.311.21.10:
                0.0

pablo · August 11, 2022, 2:20pm

@michael.anderton Could you also share your docker-compose.yml file and opensearch.yml?

pablo · August 12, 2022, 10:03am

@michael.anderton Is this the same issue as this one?

michael.anderton · August 16, 2022, 5:43pm

@pablo
It is based off of the same issue as the other, yes. This one can be closed.

Topic		Replies	Views
CA Signed Certificates Security troubleshoot	10	1066	June 8, 2022
SSL Certificate Error "unknown_certificate" Security	32	7247	August 17, 2022
Certificate configuration Error Security troubleshoot , configure	5	1903	June 26, 2023
Replace DEMO SSL certificate for Production CA DigiCert wildcard Security troubleshoot , configure , install	10	957	May 2, 2023
TLS configuration with organizational certs Security troubleshoot , configure	2	617	January 21, 2022

Windows CA Certificates

Related topics