diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java
index 6d325900878..4bfa884b3a2 100644
--- a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java
+++ b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/pki/PkiRealm.java
@@ -174,9 +174,10 @@ public class PkiRealm extends Realm {
 
     private static X509TrustManager trustManagersFromTruststore(String truststorePath, RealmConfig realmConfig) {
         final Settings settings = realmConfig.settings();
-        if (SSL_SETTINGS.truststorePassword.exists(settings) == false) {
-            throw new IllegalArgumentException(
-                "[" + RealmSettings.getFullSettingKey(realmConfig, SSL_SETTINGS.truststorePassword) + "] is not configured"
+        if (SSL_SETTINGS.truststorePassword.exists(settings) == false && SSL_SETTINGS.legacyTruststorePassword.exists(settings) == false) {
+            throw new IllegalArgumentException("Neither [" +
+                    RealmSettings.getFullSettingKey(realmConfig, SSL_SETTINGS.truststorePassword) + "] or [" +
+                    RealmSettings.getFullSettingKey(realmConfig, SSL_SETTINGS.legacyTruststorePassword) + "] is configured"
             );
         }
         try (SecureString password = SSL_SETTINGS.truststorePassword.get(settings)) {
diff --git a/plugin/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java b/plugin/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java
index 12869ff3104..cb4c9dd3e1f 100644
--- a/plugin/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java
+++ b/plugin/src/test/java/org/elasticsearch/xpack/security/authc/pki/PkiRealmTests.java
@@ -214,10 +214,22 @@ public class PkiRealmTests extends ESTestCase {
                     new ThreadContext(globalSettings)), mock(UserRoleMapper.class));
             fail("exception should have been thrown");
         } catch (IllegalArgumentException e) {
-            assertThat(e.getMessage(), containsString("[xpack.security.authc.realms.mypki.truststore.secure_password] is not configured"));
+            assertThat(e.getMessage(), containsString("Neither [xpack.security.authc.realms.mypki.truststore.secure_password] or [" +
+                    "xpack.security.authc.realms.mypki.truststore.password] is configured"));
         }
     }
 
+    public void testTruststorePathWithLegacyPasswordDoesNotThrow() throws Exception {
+        Settings settings = Settings.builder()
+                .put("truststore.path",
+                        getDataPath("/org/elasticsearch/xpack/security/transport/ssl/certs/simple/testnode-client-profile.jks"))
+                .put("truststore.password", "testnode-client-profile")
+                .build();
+        new PkiRealm(new RealmConfig("mypki", settings, globalSettings, new Environment(globalSettings),
+                new ThreadContext(globalSettings)), mock(UserRoleMapper.class));
+        assertSettingDeprecationsAndWarnings(new Setting[] { SSLConfigurationSettings.withoutPrefix().legacyTruststorePassword });
+    }
+
     public void testCertificateWithOnlyCnExtractsProperly() throws Exception {
         X509Certificate certificate = mock(X509Certificate.class);
         X500Principal principal = new X500Principal("CN=PKI Client");