Scenario:
- Needed to use local Zookeeper and Kafka with existing CA certificate as well as existing consumer certificate.
- Hence needed to be able to use specific CN for 127.0.0.1, not a localhost
- Modification of windows hosts file not allowed
All samples I found on the net presumed that CA needs to be generated. My use case was different. I was given with CA and client certificate and I needed to use defined certificate chain for authentication.
Used Git Bash i.e. cygwin for this exercise, hence winpty presence on line with openssl command.
keytool -genkeypair -keyalg RSA -keysize 2048 -alias projenvlocal -dname "CN=projenvlocal" -ext SAN=DNS:projenvlocal,DNS:localhost,IP:127.0.0.1 -validity 3650 -keystore server.keystore.jks -storepass pwd1234 -keypass pwd1234 -deststoretype pkcs12 keytool -keystore server.truststore.jks -alias CARoot -import -file projEnvCALocal.crt -storepass pwd1234 -noprompt keytool -keystore server.keystore.jks -alias projenvlocal -certreq -file localhost.csr -storepass pwd1234 winpty openssl x509 -req -CA projEnvCALocal.crt -CAkey projEnvCALocal.key -in localhost.csr -out localhost-signed.crt -days 3650 -CAcreateserial -extfile sign-cert.cnf -extensions server_cert -passin pass:keypwd keytool -keystore server.keystore.jks -alias CARoot -import -file projEnvCALocal.crt -storepass pwd1234 -noprompt keytool -keystore server.keystore.jks -alias projenvlocal -import -file localhost-signed.crt -storepass pwd1234
* passwords are just illustrative of full command line
This part below is the main thing for being able to use certificate's CN as user name for Kafka authentication on localhost/127.0.0.1
-dname "CN=projenvlocal" -ext SAN=DNS:projenvlocal,DNS:localhost,IP:127.0.0.1
Performing of script above create two files, server.trustore.jks and server.keystore.jks .These files need to be used in ssl section of Kafka's server.properties and Zookeeper's zoo.cfg (file names may differ though).
