Versions Compared

Old Version 7

changes.mady.by.user Harsha

Saved on

compared with

New Version 8

changes.mady.by.user Harsha

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
$ keytool -keystore {tmp.server.keystore.jks} -alias localhost -validity {validity} -genkey

...

Code Block
keytool -keystore {clientserver.truststore.jks} -alias CARoot -import -file {ca-cert}


**Note: If you enable client authentication required by setting sl.client.auth to be requested or required on kafka broker config than you must provide a truststore for kafka broker as well and it should have all the CA certificates that clients keys signed by.**

Code Block
keytool -keystore {serverclient.truststore.jks} -alias CARoot -import -file {ca-cert}


In contrast to the keystore in step 1 that stores each machine’s own identity, the truststore of a client stores all the certificates that the client should trust. Importing a certificate into one’s truststore also means that trusting all certificates that are signed by that certificate. As the analogy above, trusting the government (CA) also means that trusting all passports (certificates) that it has issued. This attribute is called the chains of trust, and it is particularly useful when deploying SSL on a large kafka cluster. You can sign all certificates in the cluster with a single CA, and have all machines share the same truststore that trusts the CA. That way all machines can authenticate all other machines.

...

Code Block
keytool -keystore {tmp.server.keystore.jks} -alias localhost -certreq -file {cert-file}


Then sign it with the CA:

Code Block
openssl x509 -req -CA {ca-cert} -CAkey {ca-key} -in {cert-file} -out {cert-signed} -days {validity} -CAcreateserial -passin pass:{ca-password}

...

Code Block
$ keytool -keystore {server.keystore.jks} -alias CARoot -import -file {ca-cert}
$ keytool -keystore {server.keystore.jks} -alias localhost -import -file {cert-signed}


The definitions of the parameters are the following:

Code Block
languagetext
keystore: the location of the keystore
ca-cert: the certificate of the CA
ca-key: the private key of the CA
ca-password: the passphrase of the CA
cert-file: the exported, unsigned certificate of the server
cert-signed: the signed certificate of the server

 

All of the above steps in a bash script

Code Block
languagebash
#!/bin/bash
#Step 1
keytool -keystore server.keystore.jks -alias localhost -validity 365 -genkey
#Step 2
openssl req -new -x509 -keyout ca-key -out ca-cert -days 365
keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert
keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert
#Step 3
keytool -keystore server.keystore.jks -alias localhost -certreq -file cert-file
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:test1234
keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert
keytool -keystore server.keystore.jks -alias localhost -import -file cert-signed

4. Configuring Kafka Broker

...