TLS configuration with organizational certs

Is there a complete step-by-step guide to configure OpenSearch to use organization generated certs rather the demo certs. I am trying to use the exact same certs that work fine with Elasticsearch…

plugins.security.ssl.http.enabled: 'true'
plugins.security.ssl.http.pemkey_filepath: 'certificates/host/key.pem'
plugins.security.ssl.http.pemcert_filepath: 'certificates/host/cert.pem'
plugins.security.ssl.http.pemtrustedcas_filepath: 'certificates/ca/cert.pem'

plugins.security.ssl.transport.enabled: 'true'
plugins.security.ssl.transport.pemkey_filepath: 'certificates/host/key.pem'
plugins.security.ssl.transport.pemcert_filepath: 'certificates/host/cert.pem'
plugins.security.ssl.transport.pemtrustedcas_filepath: 'certificates/ca/cert.pem'

but all I get is…

[2022-01-14T21:17:13,851][ERROR][o.o.s.s.DefaultSecurityKeyStore] [opensearch] Your keystore or PEM does not contain a key. ...

I would happily just disable security for now. But it is no longer possible to start OpenSearch without transport TLS configured.

@robcowart - no, there isn’t a complete guide … I’ve worked my way through it a couple times now, though.

The message you get might indicate that you don’t have PKCS8 format keys … if your key file starts with “BEGIN PRIVATE KEY”, it’s PKCS8, but if it starts with “BEGIN RSA PRIVATE KEY” it’s the wrong format.