All Products
Search

This Product

    Elasticsearch:Decrypt the Elasticsearch .p12 file

    Document Center

    Elasticsearch:Decrypt the Elasticsearch .p12 file

    Last Updated:Mar 26, 2026

    The online migration tool requires a decrypted .p12 file when migrating data from a self-managed Elasticsearch cluster to Alibaba Cloud Elasticsearch. A .p12 file is a PKCS#12 (Public Key Cryptography Standards #12) container that stores a public key, private key, and digital certificate in a single binary file. During migration, nodes across different Elasticsearch clusters must communicate with each other, which requires all nodes to share consistent .p12 files. Use OpenSSL to extract the private key and certificate from the .p12 file into a PEM file that the migration tool can accept.

    The .p12 file is in the config directory of your Elasticsearch cluster.

    Prerequisites

    Before you begin, ensure that you have:

    • Access to the config directory of your Elasticsearch cluster

    • The password for the .p12 file (if set)

    Step 1: Install OpenSSL

    Check whether OpenSSL is installed:

    openssl version

    If OpenSSL is not installed, install it based on your operating system.

    Step 2: Decrypt the .p12 file

    Run the following command to extract the private key and certificate from the .p12 file into a PEM file:

    openssl pkcs12 \
  -in <your-p12-file> \
  -out <output-pem-file> \
  -nodes
    ParameterDescription
    -in <your-p12-file>Path to the .p12 file to decrypt
    -out <output-pem-file>Path for the output PEM file
    -nodesOutputs the private key without encryption. If omitted, the private key is encrypted in the output file
    OpenSSL prompts you to enter the .p12 password. If the file has no password, press Enter.

    The resulting PEM file contains both the private key and the certificate, each delimited by -----BEGIN ... ----- markers.

    Step 3: Verify the decrypted output

    A successfully decrypted .p12 file produces output in the following format:

    MAC Iteration 100000
MAC verified OK
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 50000
Bag Attributes
    friendlyName: instance
    localKeyID: 54 69 6D 65 20 31 37 33 36 34 32 35 39 35 39 33 39 39
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCCwYqGvtUGcp/3
6qXlbaGcCfOduwgnuQRGa18RGfqv6O4szY4pqX1XSdAEpWlu4U9cw4WhI5GLWs1L
POgRXtsi35fy1UWAo/6Y9g==
-----END PRIVATE KEY-----
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 50000
Certificate bag
Bag Attributes
    friendlyName: instance
    localKeyID: 54 69 6D 65 20 31 37 33 36 34 32 35 39 35 39 33 39 39
subject=/CN=instance
issuer=/CN=Elastic Certificate Tool Autogenerated CA
-----BEGIN CERTIFICATE-----
MIIDIjCCAgqgAwIBAgIUGUcMGMBpaLuT7Zxt3E3cF6Tc29gwDQYJKoZIhvcNAQEL
ag+Z+2V2nOhIGGvGbhHE9PFfwOrNcUK8Vom6/JhPZ0WAm0n1kO8=
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
    friendlyName: ca
    2.16.840.1.113894.746875.1.1: <Unsupported tag 6>
subject=/CN=Elastic Certificate Tool Autogenerated CA
issuer=/CN=Elastic Certificate Tool Autogenerated CA
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIVAImtUWvj0iuyXZRr/0jUb5fT6IhFMA0GCSqGSIb3DQEB
CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu
MJNbQn/U13wCkYZKFzMzKgvXk4QQ8O50hLCJJ5NY
-----END CERTIFICATE-----

    The output contains:

    • One private key section (BEGIN PRIVATE KEY / END PRIVATE KEY)

    • Two certificate sections (BEGIN CERTIFICATE / END CERTIFICATE): the instance certificate and the Elastic Certificate Tool Autogenerated CA certificate

    Upload the decrypted PEM file to the online migration tool to proceed with data migration.