Generating Certificate Fingerprint for Filebeat

Published by Bilal Kaun on

For the purpose of ElasticSearch and Filebeats in particular. The documentation at Elastic does not go into much detail as to what the property ‘ca_sha256‘ is or how to generate it.

The only remark they make is
The pin is a base64 encoded string of the SHA-256 of the certificate.

Not only is this not informative, but also misleading. So the correct way to generate this is via openssl. The correct way is described in the stackoverflow question regarding a non-Elastic query.

$ openssl x509 -in <root-ca.pem> -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64


Leave a Reply