Skip to content

Commit 5fdda88

Browse files
rename ca-keyusage to keyusage and make it applicable only to ca
1 parent fa68b1a commit 5fdda88

File tree

3 files changed

+15
-11
lines changed

3 files changed

+15
-11
lines changed

docs/reference/elasticsearch/command-line-tools/certutil.md

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -13,10 +13,10 @@ The `elasticsearch-certutil` command simplifies the creation of certificates for
1313
```shell
1414
bin/elasticsearch-certutil
1515
(
16-
(ca [--ca-dn <name>] [--ca-keyusage <key_usages>] [--days <n>] [--pem])
16+
(ca [--ca-dn <name>] [--keyusage <key_usages>] [--days <n>] [--pem])
1717

1818
| (cert ([--ca <file_path>] | [--ca-cert <file_path> --ca-key <file_path>])
19-
[--ca-dn <name>] [--ca-keyusage <key_usages>] [--ca-pass <password>] [--days <n>]
19+
[--ca-dn <name>] [--ca-pass <password>] [--days <n>]
2020
[--dns <domain_name>] [--in <input_file>] [--ip <ip_addresses>]
2121
[--multiple] [--name <file_name>] [--pem] [--self-signed])
2222

@@ -99,15 +99,15 @@ The `http` mode guides you through the process of generating certificates for us
9999
`--ca-dn <name>`
100100
: Defines the *Distinguished Name* (DN) that is used for the generated CA certificate. The default value is `CN=Elastic Certificate Tool Autogenerated CA`. This parameter cannot be used with the `csr` or `http` parameters.
101101

102-
`--ca-keyusage <key_usages>`
103-
: Specifies a comma-separated list of key usage restrictions (as per RFC 5280) that are used for the generated CA certificate. The default value is `keyCertSign,cRLSign`. This parameter cannot be used with the `csr` or `http` parameters.
104-
105102
`--ca-key <file_path>`
106103
: Specifies the path to an existing CA private key (in PEM format). You must also specify the `--ca-cert` parameter. The `--ca-key` parameter is only applicable to the `cert` parameter.
107104

108105
`--ca-pass <password>`
109106
: Specifies the password for an existing CA private key or the generated CA private key. This parameter is only applicable to the `cert` parameter
110107

108+
`--keyusage <key_usages>`
109+
: Specifies a comma-separated list of key usage restrictions (as per RFC 5280) that are used for the generated CA certificate. The default value is `keyCertSign,cRLSign`. This parameter may only be used with the `ca` parameter.
110+
111111
`--days <n>`
112112
: Specifies an integer value that represents the number of days the generated certificates are valid. The default value is `1095`. This parameter cannot be used with the `csr` or `http` parameters.
113113

x-pack/plugin/security/cli/src/main/java/org/elasticsearch/xpack/security/cli/CertificateTool.java

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -250,7 +250,6 @@ final void acceptsCertificateAuthority() {
250250
.withOptionalArg();
251251

252252
acceptsCertificateAuthorityName();
253-
acceptCertificateAuthorityKeyUsage();
254253
}
255254

256255
void acceptsCertificateAuthorityName() {
@@ -280,7 +279,7 @@ final void acceptInputFile() {
280279

281280
final void acceptCertificateAuthorityKeyUsage() {
282281
OptionSpecBuilder builder = parser.accepts(
283-
"ca-keyusage",
282+
"keyusage",
284283
"comma separated key usages to use for the generated CA. "
285284
+ "defaults to '"
286285
+ Strings.collectionToCommaDelimitedString(DEFAULT_CA_KEY_USAGE)
@@ -332,11 +331,16 @@ final int getKeySize(OptionSet options) {
332331

333332
final List<String> getCaKeyUsage(OptionSet options) {
334333
if (options.has(caKeyUsageSpec)) {
335-
String rawCaKeyUsage = caKeyUsageSpec.value(options);
336-
if (Strings.isNullOrEmpty(rawCaKeyUsage)) {
334+
final Function<String, Stream<? extends String>> splitByComma = v -> Stream.of(Strings.splitStringByCommaToArray(v));
335+
final List<String> caKeyUsage = caKeyUsageSpec.values(options)
336+
.stream()
337+
.flatMap(splitByComma)
338+
.filter(v -> false == Strings.isNullOrEmpty(v))
339+
.toList();
340+
if (caKeyUsage.isEmpty()) {
337341
return DEFAULT_CA_KEY_USAGE;
338342
}
339-
return List.of(Strings.splitStringByCommaToArray(rawCaKeyUsage));
343+
return caKeyUsage;
340344
} else {
341345
return DEFAULT_CA_KEY_USAGE;
342346
}

x-pack/plugin/security/cli/src/test/java/org/elasticsearch/xpack/security/cli/CertificateToolTests.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1211,7 +1211,7 @@ private String generateCA(Path caFile, MockTerminal terminal, Environment env, b
12111211
String.valueOf(caKeySize),
12121212
"-days",
12131213
String.valueOf(days),
1214-
"--ca-keyusage",
1214+
"-keyusage",
12151215
caKeyUsage };
12161216
if (pem) {
12171217
args = ArrayUtils.append(args, "--pem");

0 commit comments

Comments
 (0)