I have been banging my head against the wall for days now about this.
I am using docker-compose to run opensearch. I am trying to replace the demo certificates with certificates generated by the CA on our Domain Controller, I am not generating certificates with openssl or any other command line utility. I used the generic web server template with extended key usage for Server Authentication and Client Authentication. I then exported the .pfx file and extracted the certificate into pem format. I have also extracted the private key into pem format. I then converted the private key to pkcs8 unencrypted. When I run docker-compose up the node1 logs tell me “Extended key usage does not permit use for TLS client authentication”.
I have gone over this numerous times and generated several certificates with different extended key usages in place (Server Authentication only, Client Authentication only, Server/Client Authentication). There has to be something I am missing.
Has anybody successfully installed certificates generated by Windows CA?
I am not using a keystore. I am placing the certificates in the same directory as the dockery-compose file and referencing them in the volumes block of the docker-compose file. I am also using a custom opensearch.yml file that I am referencing in the docker-compose file.