Windows CA Certificates


I have been banging my head against the wall for days now about this.

I am using docker-compose to run opensearch. I am trying to replace the demo certificates with certificates generated by the CA on our Domain Controller, I am not generating certificates with openssl or any other command line utility. I used the generic web server template with extended key usage for Server Authentication and Client Authentication. I then exported the .pfx file and extracted the certificate into pem format. I have also extracted the private key into pem format. I then converted the private key to pkcs8 unencrypted. When I run docker-compose up the node1 logs tell me “Extended key usage does not permit use for TLS client authentication”.

I have gone over this numerous times and generated several certificates with different extended key usages in place (Server Authentication only, Client Authentication only, Server/Client Authentication). There has to be something I am missing.

Has anybody successfully installed certificates generated by Windows CA?

I am not using a keystore. I am placing the certificates in the same directory as the dockery-compose file and referencing them in the volumes block of the docker-compose file. I am also using a custom opensearch.yml file that I am referencing in the docker-compose file.


What documentation was used for you certificates configurations?

@michael.anderton Could you run the below command against one of your test certificates and share the key usage and the extended key usage?

openssl -x509 -in <test_node_cert> -text -noout

@pablo It would seem as though the CA is not adding client auth to my key usage as I am wanting it to.

X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication

@michael.anderton Could you also share your docker-compose.yml file and opensearch.yml?

@michael.anderton Is this the same issue as this one?

It is based off of the same issue as the other, yes. This one can be closed.