All Products
Search

This Product

    Elasticsearch:Decrypt the Elasticsearch .p12 file

    Document Center

    Elasticsearch:Decrypt the Elasticsearch .p12 file

    Last Updated:Mar 31, 2025

    When you use the online migration tool to migrate data from a self-managed Elasticsearch cluster to an Alibaba Cloud Elasticsearch cluster, you need to upload the decrypted .p12 file. This topic describes how to decrypt a .p12 file. During the decryption, the certificate and private key in the file are extracted.

    Background information

    • A .p12 file stores public and private keys and contains a digital certificate.

    • During data migration, nodes in different Elasticsearch clusters need to be contacted and merged. Therefore, you must make sure that nodes can communicate with each other. This requires that the .p12 files of all nodes be consistent.

    Note

    A .p12 file is in the config directory of an Elasticsearch cluster.

    Procedure

    1. Install OpenSSL

    Run the following command to check whether OpenSSL is installed:

    openssl version

    If it not installed, install OpenSSL based on your operating system.

    2. Decrypt the .p12 file

    Run the following command to extract the private key and certificate from the .p12 file: 

    openssl pkcs12 -in yourfile.p12 -out outputfile.pem -nodes

    Code

    Description

    -in yourfile.p12

    The name of the .p12 file that you want to decrypt.

    -out outputfile.pem

    The name of the output PEM file.

    -nodes

    If you specify this item, the private key is not encrypted. Otherwise, the private key is encrypted.

    Note

    When you run the preceding command, you are prompted to enter the password of the .p12 file. If the .p12 file does not have a password, press Enter.

    3. View the decrypted .p12 file

    The following code shows the format of a decrypted .p12 file:

    MAC Iteration 100000
MAC verified OK
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 50000
Bag Attributes
    friendlyName: instance
    localKeyID: 54 69 6D 65 20 31 37 33 36 34 32 35 39 35 39 33 39 39 
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCCwYqGvtUGcp/3
6qXlbaGcCfOduwgnuQRGa18RGfqv6O4szY4pqX1XSdAEpWlu4U9cw4WhI5GLWs1L
POgRXtsi35fy1UWAo/6Y9g==
-----END PRIVATE KEY-----
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 50000
Certificate bag
Bag Attributes
    friendlyName: instance
    localKeyID: 54 69 6D 65 20 31 37 33 36 34 32 35 39 35 39 33 39 39 
subject=/CN=instance
issuer=/CN=Elastic Certificate Tool Autogenerated CA
-----BEGIN CERTIFICATE-----
MIIDIjCCAgqgAwIBAgIUGUcMGMBpaLuT7Zxt3E3cF6Tc29gwDQYJKoZIhvcNAQEL
ag+Z+2V2nOhIGGvGbhHE9PFfwOrNcUK8Vom6/JhPZ0WAm0n1kO8=
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
    friendlyName: ca
    2.16.840.1.113894.746875.1.1: <Unsupported tag 6>
subject=/CN=Elastic Certificate Tool Autogenerated CA
issuer=/CN=Elastic Certificate Tool Autogenerated CA
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIVAImtUWvj0iuyXZRr/0jUb5fT6IhFMA0GCSqGSIb3DQEB
CwUAMDQxMjAwBgNVBAMTKUVsYXN0aWMgQ2VydGlmaWNhdGUgVG9vbCBBdXRvZ2Vu
MJNbQn/U13wCkYZKFzMzKgvXk4QQ8O50hLCJJ5NY
-----END CERTIFICATE-----