We have to generate a certificate authority for signing . if you have already an existing CA then you can skip this step or if you don’t have any certificate authority then you can create by using open SSL utility so before going you know and generating our own CA I want to give you some background so the certificate which we created in the previous step which is unsigned which means so the attackers are anyone can forge the same certificate and they can use so just to avoid the forge certificates we will sign those certificates with the CA certificate authority.

CA works like a government authority so what about the certificate. If you use a certificate without the CA then it is invalid so that is the reason in this step we have to create the CA and we can use it in the future.

By using the open SSL utility I am going to create a CA.

Generate a certificate authority(CA) for signing

    • CA(contains a public-private key pair and certificate, and it is intended to sign other certificates) is a genuine and trusted authority and you can create a CA using below command  
    • Note: Remember the CA password which is used in next steps
openssl req -new -x509 -keyout ca-key -out ca-cert -days 365 

Sign all the broker certificates with generated CA

Before signing, we need to export the certificates from the keystores which we generated in step 1.

keytool -keystore server.keystore.jks -alias localhost -certreq -file cert-file

Now we have to sign all certificates which we exported in above step with the CA generated in step 2.

openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days {validity} -CAcreateserial -passin pass:{ca-password}
Eg: openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:654321

Import the CA and signed certificate to broker key store

We can import both the certificate of the CA and the signed certificate into the keystore by using below command

keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert
keytool -keystore server.keystore.jks -alias localhost -import -file cert-signed 

Import CA to client trust store & broker trust store

Copy the CA which we generated in step 2 into your client compute and then import the CA into your client trust store by using below command

keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert

Note: Remember the trust store password which is used in next steps
 

Import the CA into your broker trust store by using below command

(It is helpful when you configure the Kafka brokers to require client authentication by setting ssl.client.auth to be “requested” or “required”  )

keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert

Note: Remember the trust store password which is used in next steps

For 2-way authentication(Broker has to trust client), along with the above steps you have to follow below steps: 

Generate client certificate like step 1 from the client VM

Sign the client certificate with the CA which we generated in step 2 i.e like step 3

We already added the CA to broker trust store so the broker trusts all the certificates which are signed by this CA

 

Tags:






Youtube
Facebook
Google Plus
Twitter
TutorialDrive


Apache Zookeeper Tutorial

Apache Kafka Tutorial

Apache Kafka Security

Elasticserarch n Kibana

Java 8 Tutorial

Log4J Tutorial

Apache Storm Tutorial

SQLite Tutorial

Apache Ant Tutorial

Related Posts

blog

Apache Kafka Commands Cheat sheet

Spread the loveKafka Topics List existing topics bin/kafka-topics.sh –zookeeper localhost:2181 –list Purge a topic bin/kafka-topics.sh –zookeeper localhost:2181 –alter –topic mytopic –config retention.ms=1000 … wait a minute … bin/kafka-topics.sh –zookeeper localhost:2181 –alter –topic mytopic –delete-config retention.ms
Read more…

blog

What is Apache Maven | Apache Maven complete tutorial from scratch pdf

Spread the love In this post you will learn the complete tutorial of Apache Maven build tool What is Maven ? Apache Maven is a software project management and comprehension tool. Based on the concept
Read more…

blog

Practical Guide for Web Development in 2018

Spread the loveWelcome to my practical guide  for web development in 2018 in terms of  technology and career. Before we start I just want to  mention a few things, you don’t need to learn  everything that
Read more…