rename ca-keyusage to keyusage and make it applicable only to ca

Author: slobodanadamovic

docs/reference/elasticsearch/command-line-tools/certutil.md

@@ -13,10 +13,10 @@ The `elasticsearch-certutil` command simplifies the creation of certificates for
 ```shell
 bin/elasticsearch-certutil
 (
-(ca [--ca-dn <name>] [--ca-keyusage <key_usages>] [--days <n>] [--pem])
+(ca [--ca-dn <name>] [--keyusage <key_usages>] [--days <n>] [--pem])
 
 | (cert ([--ca <file_path>] | [--ca-cert <file_path> --ca-key <file_path>])
-[--ca-dn <name>] [--ca-keyusage <key_usages>] [--ca-pass <password>] [--days <n>]
+[--ca-dn <name>] [--ca-pass <password>] [--days <n>]
 [--dns <domain_name>] [--in <input_file>] [--ip <ip_addresses>]
 [--multiple] [--name <file_name>] [--pem] [--self-signed])
 
@@ -99,15 +99,15 @@ The `http` mode guides you through the process of generating certificates for us
 `--ca-dn <name>`
 :   Defines the *Distinguished Name* (DN) that is used for the generated CA certificate. The default value is `CN=Elastic Certificate Tool Autogenerated CA`. This parameter cannot be used with the `csr` or `http` parameters.
 
-`--ca-keyusage <key_usages>`
-:   Specifies a comma-separated list of key usage restrictions (as per RFC 5280) that are used for the generated CA certificate. The default value is `keyCertSign,cRLSign`. This parameter cannot be used with the `csr` or `http` parameters.
-
 `--ca-key <file_path>`
 :   Specifies the path to an existing CA private key (in PEM format). You must also specify the `--ca-cert` parameter. The `--ca-key` parameter is only applicable to the `cert` parameter.
 
 `--ca-pass <password>`
 :   Specifies the password for an existing CA private key or the generated CA private key. This parameter is only applicable to the `cert` parameter
 
+`--keyusage <key_usages>`
+:   Specifies a comma-separated list of key usage restrictions (as per RFC 5280) that are used for the generated CA certificate. The default value is `keyCertSign,cRLSign`. This parameter may only be used with the `ca` parameter.
+
 `--days <n>`
 :   Specifies an integer value that represents the number of days the generated certificates are valid. The default value is `1095`. This parameter cannot be used with the `csr` or `http` parameters.
 

x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateTool.java

@@ -250,7 +250,6 @@ final void acceptsCertificateAuthority() {
                 .withOptionalArg();
 
             acceptsCertificateAuthorityName();
-            acceptCertificateAuthorityKeyUsage();
         }
 
         void acceptsCertificateAuthorityName() {
@@ -280,7 +279,7 @@ final void acceptInputFile() {
 
         final void acceptCertificateAuthorityKeyUsage() {
             OptionSpecBuilder builder = parser.accepts(
-                "ca-keyusage",
+                "keyusage",
                 "comma separated key usages to use for the generated CA. "
                     + "defaults to '"
                     + Strings.collectionToCommaDelimitedString(DEFAULT_CA_KEY_USAGE)
@@ -332,11 +331,16 @@ final int getKeySize(OptionSet options) {
 
         final List<String> getCaKeyUsage(OptionSet options) {
             if (options.has(caKeyUsageSpec)) {
-                String rawCaKeyUsage = caKeyUsageSpec.value(options);
-                if (Strings.isNullOrEmpty(rawCaKeyUsage)) {
+                final Function<String, Stream<? extends String>> splitByComma = v -> Stream.of(Strings.splitStringByCommaToArray(v));
+                final List<String> caKeyUsage = caKeyUsageSpec.values(options)
+                    .stream()
+                    .flatMap(splitByComma)
+                    .filter(v -> false == Strings.isNullOrEmpty(v))
+                    .toList();
+                if (caKeyUsage.isEmpty()) {
                     return DEFAULT_CA_KEY_USAGE;
                 }
-                return List.of(Strings.splitStringByCommaToArray(rawCaKeyUsage));
+                return caKeyUsage;
             } else {
                 return DEFAULT_CA_KEY_USAGE;
             }

x-pack/plugin/security/cli/src/test/java/org/elasticsearch/xpack/security/cli/CertificateToolTests.java

@@ -1211,7 +1211,7 @@ private String generateCA(Path caFile, MockTerminal terminal, Environment env, b
             String.valueOf(caKeySize),
             "-days",
             String.valueOf(days),
-            "--ca-keyusage",
+            "-keyusage",
             caKeyUsage };
         if (pem) {
             args = ArrayUtils.append(args, "--pem");