diff --git a/src/cli_setup/cli_setup.ts b/src/cli_setup/cli_setup.ts
index a23a0a9f25c1e..715a74b606732 100644
--- a/src/cli_setup/cli_setup.ts
+++ b/src/cli_setup/cli_setup.ts
@@ -33,7 +33,7 @@ program
   .description(
     'This command walks you through all required steps to securely connect Kibana with Elasticsearch'
   )
-  .option('-t, --token <token>', 'Elasticsearch enrollment token')
+  .option('-t, --enrollment-token <token>', 'Elasticsearch enrollment token')
   .option('-s, --silent', 'Prevent all logging');
 
 program.parse(process.argv);
@@ -82,9 +82,9 @@ async function initCommand() {
   } catch (error) {
     if (!options.silent) {
       spinner.fail(
-        `${chalk.bold('Unable to enroll with Elasticsearch:')} ${chalk.red(
-          `${getDetailedErrorMessage(error)}`
-        )}`
+        `${chalk.bold(
+          'Unable to connect to Elasticsearch with the provided enrollment token:'
+        )} ${chalk.red(`${getDetailedErrorMessage(error)}`)}`
       );
     }
     logger.error('');
diff --git a/src/plugins/interactive_setup/public/cluster_configuration_form.tsx b/src/plugins/interactive_setup/public/cluster_configuration_form.tsx
index 967a069df3834..7b6733999d87f 100644
--- a/src/plugins/interactive_setup/public/cluster_configuration_form.tsx
+++ b/src/plugins/interactive_setup/public/cluster_configuration_form.tsx
@@ -258,9 +258,9 @@ export const ClusterConfigurationForm: FunctionComponent<ClusterConfigurationFor
               value="true"
               checked={!!form.values.caCert}
               onChange={() => {
-                const intermediateCa = certificateChain[Math.min(1, certificateChain.length - 1)];
+                const rootCa = certificateChain[certificateChain.length - 1];
                 form.setTouched('caCert');
-                form.setValue('caCert', form.values.caCert ? '' : intermediateCa.raw);
+                form.setValue('caCert', form.values.caCert ? '' : rootCa.raw);
               }}
             >
               <CertificateChain certificateChain={certificateChain} />
diff --git a/test/interactive_setup_api_integration/fixtures/README.md b/test/interactive_setup_api_integration/fixtures/README.md
index 5a7238bbba75a..e259030190108 100644
--- a/test/interactive_setup_api_integration/fixtures/README.md
+++ b/test/interactive_setup_api_integration/fixtures/README.md
@@ -6,27 +6,86 @@ The Elasticsearch HTTP layer keystore is supposed to mimic the PKCS12 keystore t
 - A PrivateKeyEntry for the CA's key and certificate
 - A TrustedCertificateEntry for the CA's certificate
 
+__IMPORTANT:__ CA keystore (ca.p12) is not checked in intentionally, talk to @elastic/kibana-security if you need it to sign new certificates.
+
 ```bash
-$ES_HOME/bin/elasticsearch-certutil cert \
-  --out $KIBANA_HOME/test/interactive_setup_api_integration/fixtures/elasticsearch.p12 \
-  --ca $KIBANA_HOME/packages/kbn-dev-utils/certs/ca.p12 --ca-pass "castorepass" --pass "storepass" \
-  --dns=localhost --dns=localhost.localdomain --dns=localhost4 --dns=localhost4.localdomain4 \
+ROOT_CA_PATH='packages/kbn-dev-utils/certs/ca.p12'
+ROOT_CA_NAME='root'
+INTERMEDIATE_CA_NAME='intermediate'
+INSTANCE_NAME='elasticsearch'
+
+# Create intermediate CA
+bin/elasticsearch-certutil ca --ca-dn "CN=Elastic Intermediate CA" -days 18250 --out $INTERMEDIATE_CA_NAME.p12 --pass castorepass
+
+# Create instance certificate
+bin/elasticsearch-certutil cert \
+  --ca $INTERMEDIATE_CA_NAME.p12 --ca-pass castorepass --name $INSTANCE_NAME \
+  --dns=localhost --dns=localhost.localdomain \
+  --dns=localhost4 --dns=localhost4.localdomain4 \
   --dns=localhost6 --dns=localhost6.localdomain6 \
-  --ip=127.0.0.1 --ip=0:0:0:0:0:0:0:1
-```
+  --ip=127.0.0.1 --ip=0:0:0:0:0:0:0:1 \
+  -days 18250 --out $INSTANCE_NAME.p12 --pass storepass
 
-Change the alias of the TrustedCertificateEntry so that it won't clash with the CA PrivateKeyEntry
-```bash
+# Convert P12 keystores to PEM files
+openssl pkcs12 -in $ROOT_CA_PATH -out $ROOT_CA_NAME.crt -nokeys -passin pass:castorepass -passout pass:
+openssl pkcs12 -in $ROOT_CA_PATH -nocerts -passin pass:castorepass -passout pass:keypass | openssl rsa -passin pass:keypass -out $ROOT_CA_NAME.key
+
+openssl pkcs12 -in $INTERMEDIATE_CA_NAME.p12 -out $INTERMEDIATE_CA_NAME.crt -nokeys -passin pass:castorepass -passout pass:
+openssl pkcs12 -in $INTERMEDIATE_CA_NAME.p12 -nocerts -passin pass:castorepass -passout pass:keypass | openssl rsa -passin pass:keypass -out $INTERMEDIATE_CA_NAME.key
+
+openssl pkcs12 -in $INSTANCE_NAME.p12 -out $INSTANCE_NAME.crt -clcerts -passin pass:storepass -passout pass:
+openssl pkcs12 -in $INSTANCE_NAME.p12 -nocerts -passin pass:storepass -passout pass:keypass | openssl rsa -passin pass:keypass -out $INSTANCE_NAME.key
+
+# Re-sign intermediate CA
+mkdir -p ./tmp
+openssl x509 -x509toreq -in $INTERMEDIATE_CA_NAME.crt -signkey $INTERMEDIATE_CA_NAME.key -out ./tmp/$INTERMEDIATE_CA_NAME.csr
+dd if=/dev/urandom of=./tmp/rand bs=256 count=1
+touch ./tmp/index.txt
+echo "01" > ./tmp/serial
+cp /System/Library/OpenSSL/openssl.cnf ./tmp/
+echo "
+[ tmpcnf ]
+dir             = ./
+certs           = ./
+new_certs_dir   = ./tmp
+crl_dir         = ./tmp/crl
+database        = ./tmp/index.txt
+unique_subject  = no
+certificate     = ./$ROOT_CA_NAME.crt
+serial          = ./tmp/serial
+crlnumber       = ./tmp/crlnumber
+crl             = ./tmp/crl.pem
+private_key     = ./$ROOT_CA_NAME.key
+RANDFILE        = ./tmp/rand
+x509_extensions = v3_ca
+name_opt        = ca_default
+cert_opt        = ca_default
+default_days    = 18250
+default_crl_days= 30
+default_md      = sha256
+preserve        = no
+policy          = policy_anything
+" >> ./tmp/openssl.cnf
+
+openssl ca -batch -config ./tmp/openssl.cnf -name tmpcnf -in ./tmp/$INTERMEDIATE_CA_NAME.csr -out $INTERMEDIATE_CA_NAME.crt
+
+# Convert PEM files back to P12 keystores
+cat $INTERMEDIATE_CA_NAME.key $INTERMEDIATE_CA_NAME.crt $ROOT_CA_NAME.crt | openssl pkcs12 -export -name $INTERMEDIATE_CA_NAME -passout pass:castorepass -out $INTERMEDIATE_CA_NAME.p12
+cat $INSTANCE_NAME.key $INSTANCE_NAME.crt $ROOT_CA_NAME.crt $INTERMEDIATE_CA_NAME.crt | openssl pkcs12 -export -name $INSTANCE_NAME -passout pass:storepass -out $INSTANCE_NAME.p12
+
+# Verify contents of keystores
+openssl pkcs12 -info -in $INTERMEDIATE_CA_NAME.p12 -passin pass:"castorepass" -nodes
+openssl pkcs12 -info -in $INSTANCE_NAME.p12 -passin pass:"storepass" -nodes
+
+# Change the alias of the TrustedCertificateEntry so that it won't clash with the CA PrivateKeyEntry
 keytool -changealias -alias ca -destalias cacert -keystore \
-  $KIBANA_HOME/test/interactive_setup_api_integration/fixtures/elasticsearch.p12 \
+  $INSTANCE_NAME.p12 \
   -deststorepass "storepass"
-```
 
-Import the CA PrivateKeyEntry
-```bash
+# Import the CA PrivateKeyEntry
 keytool -importkeystore \
-  -srckeystore $KIBANA_HOME/packages/kbn-dev-utils/certs/ca.p12 \
+  -srckeystore $ROOT_CA_PATH \
   -srcstorepass "castorepass" \
-  -destkeystore $KIBANA_HOME/test/interactive_setup_api_integration/fixtures/elasticsearch.p12 \
+  -destkeystore $INSTANCE_NAME.p12 \
   -deststorepass "storepass"
 ```
diff --git a/test/interactive_setup_api_integration/fixtures/elasticsearch.p12 b/test/interactive_setup_api_integration/fixtures/elasticsearch.p12
index 964932d8ffe5e..62cecb487804d 100644
Binary files a/test/interactive_setup_api_integration/fixtures/elasticsearch.p12 and b/test/interactive_setup_api_integration/fixtures/elasticsearch.p12 differ