OpenDistro Nodes Certificate - OID

Is it must to create nodes certificate with OID in SAN Entry?
Why it is required?

I am landing into this issue.

[root@gcpxxx tools]# bash -x securityadmin_demo.sh
++ hostname -f

  • sudo /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig -icl -key /etc/elasticsearch/host.key -cert /etc/elasticsearch/ServerCertificate.crt -cacert /etc/elasticsearch/ChainBundle2.crt -nhnv -h gcpxxx.abc01.abcd.com -dg --accept-red-cluster
    WARNING: JAVA_HOME not set, will use /bin/java
    Open Distro Security Admin v6
    Will connect to gcpxxx.abc01.abcd.com:9300 … done
    Unable to check whether cluster is sane: No user found for cluster:monitor/nodes/info
    Connected as CN=gcpxxx.abc01.abcd.com,O=Kingkong,L=Houston,ST=Texas,C=US
    ERR: Seems you use a node certificate which is also an admin certificate
    That may have worked with older Open Distro Security versions but it indicates
    a configuration error and is therefore forbidden now.
    Diagnostic trace written to: /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin_diag_trace_2019-May-23_04-35-08.txt
    Contacting elasticsearch cluster ‘elasticsearch’ …
    Cannot retrieve cluster state due to: No user found for cluster:monitor/health. This is not an error, will keep on trying …
    Root cause: ElasticsearchSecurityException[No user found for cluster:monitor/health] (org.elasticsearch.ElasticsearchSecurityException/org.elasticsearch.ElasticsearchSecurityException)
    • Try running securityadmin.sh with -icl (but no -cl) and -nhnv (If that works you need to check your clustername as well as hostnames in your TLS certificates)
    • Make sure that your keystore or PEM certificate is a client certificate (not a node certificate) and configured properly in elasticsearch.yml
    • If this is not working, try running securityadmin.sh with --diagnose and see diagnose trace log file)
    • Add --accept-red-cluster to allow securityadmin to operate on a red cluster.

Configs:
opendistro_security.nodes_dn:

opendistro_security.authcz.admin_dn:

Any help here @Opendistro Team.