API tools faq
paste
Guest User

Untitled

a guest
Jan 22nd, 2018
71
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.61 KB | None | 0 0
raw download clone embed print report
  1. # 1. Generate server keypair (broker1)
  2. keytool -genkeypair -alias $(hostname -f)-server -keyalg RSA -keystore \
  3. $(hostname -f)-server.jks -keysize 2048 -dname \
  4. "CN=$(hostname -f),OU=Dept,O=Dilbert.com,L=Ffm,ST=hessen,C=DE" \
  5. -storepass dilbert -keypass dilbert
  6.  
  7. # 2. Create certificate signing request for broker certificate
  8. keytool -certreq -alias $(hostname -f)-server \
  9. -keystore $(hostname -f)-server.jks \
  10. -file $(hostname -f)-server.csr -storepass dilbert \
  11. -keypass dilbert
  12.  
  13. # 3. Create key and certificate for CA
  14. openssl req -new -x509 -keyout ca-key -out ca-cert -days 2048
  15. #Country Name (2 letter code) [XX]:DE
  16. #State or Province Name (full name) []:hessen
  17. #Locality Name (eg, city) [Default City]:Ffm
  18. #Organization Name (eg, company) [Default Company Ltd]:Dilbert.com
  19. #Organizational Unit Name (eg, section) []:Dilbert.com
  20. #Common Name (eg, your name or your server's hostname) []:dauf.dilbert.local
  21. #Email Address []:
  22.  
  23. # 4. Import ca certificate as trusted into truststore for brokers
  24. keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert
  25.  
  26. # Unnecessary, as we created a csr in step 2
  27. #keytool -keystore dauf.dilbert.local-server.jks -alias dauf.dilbert.local-server -certreq -file dauf.dilbert.local-server.crt
  28.  
  29. # 5. Sign csr from step 2 with ca from stop 3
  30. #openssl x509 -req -CA ca-cert -CAkey ca-key -in dauf.dilbert.local-server.crt -out dauf.dilbert.local-server-signed.crt -days 2048 -CAcreateserial -passin pass:dilbert
  31. openssl x509 -req -CA ca-cert -CAkey ca-key -in $(hostname -f)-server.csr -out $(hostname -f)-server.crt -days 2048 -CAcreateserial -passin pass:dilbert
  32.  
  33. # 6. Import CA certificate into broker keystore
  34. keytool -keystore $(hostname -f)-server.jks -alias CARoot -import -file ca-cert
  35.  
  36. # 7. Import signed certificate into broker keystore
  37. keytool -keystore $(hostname -f)-server.jks -alias localhost -import -file $(hostname -f)-server.crt
  38.  
  39. # Following files now exist:
  40. #ca-cert -> The self-signed certificate of the CA, this needs to be present in truststores of all clients.
  41. #ca-cert.srl -> Serial number of the signed certificate, not needed
  42. #ca-key -> The private key of the CA, to be kept safe and not accessible to anybody!
  43. #client.truststore.jks -> The truststore to be used by kafka brokers and clients (contains the ca certificate, nothing else)
  44. #laptop.liebau.biz-server.crt -> the certificate for this server that was signed with the ca private key
  45. #laptop.liebau.biz-server.csr -> the signing request - not needed anymore
  46. #laptop.liebau.biz-server.jks -> the java key store that the kafka broker should use (and can also be used by a client if it runs on this machine)
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!