In the in progress mTLS implementation we do not expose command line options for reading a passphrase-protected certificate key from a file. We need to add support for that, matching the support for fleet-server certificate and the fleet-server client certificate for connecting to Elasticsearch.

Following the current pattern, the new flag should be --elastic-agent-cert-key-passphrase.

Required tests:

• Unit tests:

  • Ensure --elastic-agent-cert-key-passphrase adheres to the same requirements as --fleet-server-cert-key-passphrase.
  • Verify that both --elastic-agent-cert-key and --elastic-agent-cert are provided when --elastic-agent-cert-key-passphrase is present.
  • Confirm that *enrollCmdOption) remoteConfig() accurately incorporates the passphrase into tlscommon.CertificateConfig.
  • Validate that fleetclient.NewWithConfig generates a valid client capable of establishing an mTLS connection to a mock server.
  • Ensure the policy TLS client settings take precedence over the CLI. Extend policy with SSL config to ensure the client certificate key passphrase from the cli is not left in the config when the policy's client client certificate key is not passphrase-protected.

• Integration tests: Out of scope for this ticket, as they are impacted by

  • --insecure flag should not be required during enroll/install because we have an http Fleet URL #4896
  • Improve test proxy/mock fleet server to support further elastic-agent TLS tests #4903.

Acceptance criteria:

• Elastic Agent can be configured to use a passphrase protected private key for the client mTLS certificate with a proxy or fleet-server.
• the e2e test to assert it works is manual.