Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # 1. Generate server keypair (broker1)
- keytool -genkeypair -alias $(hostname -f)-server -keyalg RSA -keystore \
- $(hostname -f)-server.jks -keysize 2048 -dname \
- "CN=$(hostname -f),OU=Dept,O=Dilbert.com,L=Ffm,ST=hessen,C=DE" \
- -storepass dilbert -keypass dilbert
- # 2. Create certificate signing request for broker certificate
- keytool -certreq -alias $(hostname -f)-server \
- -keystore $(hostname -f)-server.jks \
- -file $(hostname -f)-server.csr -storepass dilbert \
- -keypass dilbert
- # 3. Create key and certificate for CA
- openssl req -new -x509 -keyout ca-key -out ca-cert -days 2048
- #Country Name (2 letter code) [XX]:DE
- #State or Province Name (full name) []:hessen
- #Locality Name (eg, city) [Default City]:Ffm
- #Organization Name (eg, company) [Default Company Ltd]:Dilbert.com
- #Organizational Unit Name (eg, section) []:Dilbert.com
- #Common Name (eg, your name or your server's hostname) []:dauf.dilbert.local
- #Email Address []:
- # 4. Import ca certificate as trusted into truststore for brokers
- keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert
- # Unnecessary, as we created a csr in step 2
- #keytool -keystore dauf.dilbert.local-server.jks -alias dauf.dilbert.local-server -certreq -file dauf.dilbert.local-server.crt
- # 5. Sign csr from step 2 with ca from stop 3
- #openssl x509 -req -CA ca-cert -CAkey ca-key -in dauf.dilbert.local-server.crt -out dauf.dilbert.local-server-signed.crt -days 2048 -CAcreateserial -passin pass:dilbert
- openssl x509 -req -CA ca-cert -CAkey ca-key -in $(hostname -f)-server.csr -out $(hostname -f)-server.crt -days 2048 -CAcreateserial -passin pass:dilbert
- # 6. Import CA certificate into broker keystore
- keytool -keystore $(hostname -f)-server.jks -alias CARoot -import -file ca-cert
- # 7. Import signed certificate into broker keystore
- keytool -keystore $(hostname -f)-server.jks -alias localhost -import -file $(hostname -f)-server.crt
- # Following files now exist:
- #ca-cert -> The self-signed certificate of the CA, this needs to be present in truststores of all clients.
- #ca-cert.srl -> Serial number of the signed certificate, not needed
- #ca-key -> The private key of the CA, to be kept safe and not accessible to anybody!
- #client.truststore.jks -> The truststore to be used by kafka brokers and clients (contains the ca certificate, nothing else)
- #laptop.liebau.biz-server.crt -> the certificate for this server that was signed with the ca private key
- #laptop.liebau.biz-server.csr -> the signing request - not needed anymore
- #laptop.liebau.biz-server.jks -> the java key store that the kafka broker should use (and can also be used by a client if it runs on this machine)
Add Comment
Please, Sign In to add comment