This script requires a self-signed Certificate Authority (CA) to be present to self-sign all certs. If your organisation has restrictions on self-signed root CA you can still adapt this script to generate all certreq and get them signed by external root CA.
Since hostname verification is enabled by default, the script honours X509v3 extensions so that Subject Alt Names (SAN) are added. By default, OpenSSL will not add SAN info in your signed cert unless ext file is also provided. This script does just that.
Please adjust the variable values and X500 Distinguished Name settings to your need. For Windows users, you can use MinGW bash shell (if you use Git, it's the best route), you can use that to run this script.
#!/bin/bash # Setup params PASSWORD=gibrishwordforyou VALIDITY=365 PROJECT_PREFIX=my-kafka BROKERS='funnyaddress.com unfunnyguy.com' CLIENT_ALIAS=myclientname CLIENT_KEYSTORE=$PROJECT_PREFIX.client.keystore.jks CLIENT_CERT_FILE=$PROJECT_PREFIX-client-cert-file CLIENT_CERT_SIGNED=$PROJECT_PREFIX-client-cert-signed.crt CA_ROOT_ALIAS=ca-root CA_CERT_NAME=ca-cert.crt CA_KEY=ca-key.key BROKER_TRUSTSTORE=$PROJECT_PREFIX.truststore.jks echo -e "OpenSSL based Keys/Cert generation for Kafka" # Generate for all brokers echo -e "\n\n###\n###Generating Keys for listed brokers = $BROKERS\n\n###\n###" for BROKER in $BROKERS do keytool -genkeypair -keysize 2048 -keyalg RSA -keystore $PROJECT_PREFIX-$BROKER.jks -alias $BROKER -dname "CN=$BROKER,OU=SomeUnit,O=SomeOrg,L=London,S=England,C=GB" -ext SAN=DNS:$BROKER -validity $VALIDITY -keypass $PASSWORD -storepass $PASSWORD echo -e "subjectAltName=DNS:$BROKER" > $PROJECT_PREFIX-x509v3-$BROKER.ext done echo -e "\n\n###\n###Signing and importing certificates using CA file $CA_CERT_NAME and CA keys file $CA_KEY\n\n###\n###" for BROKER in $BROKERS do keytool -certreq -keystore $PROJECT_PREFIX-$BROKER.jks -alias $BROKER -ext SAN=DNS:$BROKER -file $PROJECT_PREFIX-$BROKER-cert-file -storepass $PASSWORD -keypass $PASSWORD openssl x509 -req -CA $CA_CERT_NAME -CAkey $CA_KEY -in $PROJECT_PREFIX-$BROKER-cert-file -out $PROJECT_PREFIX-$BROKER-cert-signed.crt -days $VALIDITY -CAcreateserial -passin pass:$PASSWORD -extfile $PROJECT_PREFIX-x509v3-$BROKER.ext done echo -e "\n\n###\n###Importing CA root $CA_CERT_NAME and signed broker certs into keystoere\n\n###\n###" for BROKER in $BROKERS do keytool -import -keystore $PROJECT_PREFIX-$BROKER.jks -alias $CA_ROOT_ALIAS -file $CA_CERT_NAME -storepass $PASSWORD -keypass $PASSWORD keytool -import -keystore $PROJECT_PREFIX-$BROKER.jks -alias $BROKER -file $PROJECT_PREFIX-$BROKER-cert-signed.crt -storepass $PASSWORD -keypass $PASSWORD done echo -e "\n\n###\n###Preparing Client Certificates and keystores###\n\n###" keytool -genkeypair -keysize 2048 -keyalg RSA -keystore $CLIENT_KEYSTORE -alias $CLIENT_ALIAS -dname "CN=$CLIENT_ALIAS,OU=SomeUnit,O=SomeOrg,L=London,S=England,C=GB" -validity $VALIDITY -storepass $PASSWORD -keypass $PASSWORD keytool -certreq -keystore $CLIENT_KEYSTORE -alias $CLIENT_ALIAS -file $CLIENT_CERT_FILE -storepass $PASSWORD -keypass $PASSWORD openssl x509 -req -CA $CA_CERT_NAME -CAkey $CA_KEY -in $CLIENT_CERT_FILE -out $CLIENT_CERT_SIGNED -days $VALIDITY -CAcreateserial -passin pass:$PASSWORD keytool -import -keystore $CLIENT_KEYSTORE -alias $CA_ROOT_ALIAS -file $CA_CERT_NAME -storepass $PASSWORD -keypass $PASSWORD keytool -import -keystore $CLIENT_KEYSTORE -alias $CLIENT_ALIAS -file $CLIENT_CERT_SIGNED -storepass $PASSWORD -keypass $PASSWORD ### # Once everything is done - import CA into broker and client trust stores correctly