Card #585 · Elastic (Elasticsearch / Kibana)
Strict Extended Key Usage validation when using explicit truststore
When switching from keystore-only to an explicit truststore configuration, Elasticsearch enforces stricter Extended Key Usage (EKU) validation. This causes SSL handshake failures if certificates lack both serverAuth and clientAuth, preventing nodes from rejoining the cluster during rolling updates.
Pain score
0.17/ 1.00 · weighted product of four components
Reach0.47distinct authors (log-normalized)
Recency1.00freshness decay, half-life months
Engagement0.81upvotes + comments, normalized
Monetization0.50willingness-to-pay cues in evidence
§ Evidence — 3 verified quotes
Does truststore configuration enforce stricter Extended Key Usage validation than keystore-only mode?
sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication
If we deploy truststore in a rolling fashion: Nodes without truststore (implicit trust): 990 nodes online Nodes with truststore (explicit trust): 10 nodes restarting/rejoining When the 10 restarted nodes try to rejoin, they fail SSL handshake with the 990 nodes
Comments are a Pro feature — join the conversation, share what you've shipped, hear what others are building.
Upgrade to Pro