Generate keys for nginx, with only a public key

Question

I have an Elasticsearch endpoint as a service (I have no access to config/server). The service provided me with a username and password, and a single "TLS certificate" file, which when decoded says that it is RSA Public-Key: (2048 bit)

I am running nginx and want to use it as a reverse proxy for this Elasticsearch endpoint. So I have to get nginx to handle the application of the certificate when it relays the request. Similar to this example config (from nginx docs):

location /upstream {
        proxy_pass                    https://backend.example.com;
        proxy_ssl_certificate         /etc/nginx/client.pem;
        proxy_ssl_certificate_key     /etc/nginx/client.key;
        proxy_ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
        proxy_ssl_ciphers             HIGH:!aNULL:!MD5;
        proxy_ssl_trusted_certificate /etc/nginx/trusted_ca_cert.crt;
        proxy_ssl_verify        on;
        proxy_ssl_verify_depth  2;
        proxy_ssl_session_reuse on;
    }

Any idea how I can generate the client.pem and client.key required (e.g. using openssl) -- when all I have to start with is a single public key file?

(edit)

Not sure if it helps, but this is how we are doing something similar with this public key, in a Java application. It takes the key file and builds an object that has a fully-formed x509 certificate, which gets sent to Elastic along with the request...and it works.

File caFile = new File("elastic_key_file.crt");
CertificateFactory fact = CertificateFactory.getInstance("X.509");
FileInputStream is = new FileInputStream(caFile);
X509Certificate cer = (X509Certificate) fact.generateCertificate(is);
KeyStore keystore = KeyStore.getInstance("JKS");
keystore.load(null, null);
keystore.setCertificateEntry("public", cer);

(edit)

Ended up being not related to SSL or that certificate Elastic gave me...which ended up being a point of confusion for me as I thought it was important. Here are the proxy settings in nginx that worked:

# Get the origin into a variable, for substitution into the header, below
map $http_origin $allow_origin {
    ~^https?://(.*\.)?incomingdomain.com(:\d+)?$ $http_origin;
    default "";
}

proxy_redirect off;
add_header 'Access-Control-Allow-Origin' $allow_origin;
add_header 'Access-Control-Allow-Methods' 'OPTIONS, HEAD, GET, POST, PUT, DELETE';
add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Content-Type, Content-Length, Authorization';

location /ElasticSearch/someSearch {
    proxy_pass https://elasticdomain/_search;
}

Answer 1

This is impossible, you cannot create certificate and private key from a certificate. This would be a huge security problem if this was possible since the certificate is considered public and the private key should be kept secret.

... but this is how we are doing something similar with this public key ...

The code you show has nothing to do with your requirement. It just loads a certificate from a file (generateCertificate does not create a certificate, it just creates a certificate object from existing data). No private key is created here.

   proxy_ssl_certificate         /etc/nginx/client.pem;
   proxy_ssl_certificate_key     /etc/nginx/client.key;

I think you are on the wrong path in the first place. While you don't provide any useful details about the certificate you got, I assume that this certificate is the certificate of the Elasticsearch endpoint and you should use it to verify that the certificate is the expected one. In this case you would need to use the option proxy_ssl_trusted_certificate file and there is no private key needed for this.

What you instead try to do with proxy_ssl_certificate and proxy_ssl_certificate_key is to authenticate yourself against the server with the certificate, i.e. use it as a client certificate.