Scenario:
- Needed to use local Zookeeper and Kafka with existing CA certificate as well as existing consumer certificate.
- Hence needed to be able to use specific CN for 127.0.0.1, not a localhost
- Modification of windows hosts file not allowed
All samples I found on the net presumed that CA needs to be generated. My use case was different. I was given with CA and client certificate and I needed to use defined certificate chain for authentication.
Used Git Bash i.e. cygwin for this exercise, hence winpty presence on line with openssl command.
keytool -genkeypair -keyalg RSA -keysize 2048 -alias projenvlocal -dname "CN=projenvlocal" -ext SAN=DNS:projenvlocal,DNS:localhost,IP:127.0.0.1 -validity 3650 -keystore server.keystore.jks -storepass pwd1234 -keypass pwd1234 -deststoretype pkcs12 keytool -keystore server.truststore.jks -alias CARoot -import -file projEnvCALocal.crt -storepass pwd1234 -noprompt keytool -keystore server.keystore.jks -alias projenvlocal -certreq -file localhost.csr -storepass pwd1234 winpty openssl x509 -req -CA projEnvCALocal.crt -CAkey projEnvCALocal.key -in localhost.csr -out localhost-signed.crt -days 3650 -CAcreateserial -extfile sign-cert.cnf -extensions server_cert -passin pass:keypwd keytool -keystore server.keystore.jks -alias CARoot -import -file projEnvCALocal.crt -storepass pwd1234 -noprompt keytool -keystore server.keystore.jks -alias projenvlocal -import -file localhost-signed.crt -storepass pwd1234
* passwords are just illustrative of full command line
This part below is the main thing for being able to use certificate's CN as user name for Kafka authentication on localhost/127.0.0.1
-dname "CN=projenvlocal" -ext SAN=DNS:projenvlocal,DNS:localhost,IP:127.0.0.1
Performing of script above create two files, server.trustore.jks and server.keystore.jks .These files need to be used in ssl section of Kafka's server.properties and Zookeeper's zoo.cfg (file names may differ though).
No comments:
Post a Comment