Clarification on Custom Cert Format for Helm Chart install

[mconner]

Query How do you convert the custom keys to PKCS#5 v1.5 and is it even correct to do so?

Under Install and Configure > Helm It points to the README.md for security configuration. In README.md, under Notes About Using Custom Certs, it states:

All keys must be in the PKCS#5 v1.5 format to work with the jdk. See this amazon article for more information about creating and using custom certs with opendistro elasticsearch.

The amazon article says the same thing when describing how to create key:

IMPORTANT: Convert these to PKCS#5 v1.5 to work correctly with the JDK. Output from this command will be used in all the config files. $ openssl pkcs8 -v1 "PBE-SHA1-3DES" -in "odfe-node1-pkcs12.key" -topk8 -out "odfe-node1.key" -nocrypt

However, per the documentation, openssl pkcs8 ... -topk8 ... will create a pkcs#8 Key, not pkcs#5:

-topk8 Normally a PKCS#8 private key is expected on input and a traditional format private key will be written. With the -topk8 option the situation is reversed: it reads a traditional format private key and writes a PKCS#8 format key.

So is there another step -- converting from 8 to 5 -- that they are not describing, and if so, what would that look like? Or was this just a typo, did the article mean to say "Convert these to PKCS#8", and then that go propagated to the README.md file, here?

Finally, the JDK being used by opendistro shows the default keystore type as: keystore.type=pkcs12. (I think I read this is since jdk 9.) So I assume the JDK supports pkcs12, so is this even necessary, anymore?

Expected Behavior Clear instructions for how to generate the certs necessary for security configuration.

Current Behavior Unclear instructions for how to generate the certs necessary for security configuration.

Failure Information (for bugs) na Relevant information na