Skip to content

Instantly share code, notes, and snippets.

Created August 5, 2019 13:32
Show Gist options
  • Save anoopl/85d869f7a85a70c6c60542922fc314a8 to your computer and use it in GitHub Desktop.
Save anoopl/85d869f7a85a70c6c60542922fc314a8 to your computer and use it in GitHub Desktop.
Create Kafka JKS Keys
#Step 1
#Generate server keystore and client keystore
keytool -keystore kafka.server.keystore.jks -alias localhost -validity 365 -genkey
keytool -keystore kafka.client.keystore.jks -alias localhost -validity 365 -genkey
#Step 2
#Create CA
openssl req -new -x509 -keyout ca-key -out ca-cert -days 365
#Add generated CA to the trust store
keytool -keystore kafka.server.truststore.jks -alias CARoot -import -file ca-cert
keytool -keystore kafka.client.truststore.jks -alias CARoot -import -file ca-cert
#Step 3
#Sign the key store
keytool -keystore kafka.server.keystore.jks -alias localhost -certreq -file cert-file
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:test1234 -extfile ssl.cnf -extensions req_ext
keytool -keystore kafka.server.keystore.jks -alias CARoot -import -file ca-cert
keytool -keystore kafka.server.keystore.jks -alias localhost -import -file cert-signed
#Sign the client keystore
keytool -keystore kafka.client.keystore.jks -alias localhost -certreq -file cert-file-client
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file-client -out cert-signed-client -days 365 -CAcreateserial -passin pass:test1234 -extfile ssl.cnf -extensions req_ext
keytool -keystore kafka.client.keystore.jks -alias CARoot -import -file ca-cert
keytool -keystore kafka.client.keystore.jks -alias localhost -import -file cert-signed-client
[ req ]
#default_bits = 2048
#default_md = sha256
#default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, fully qualified host name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = kafka-0.kafka-headless.kafka.svc.cluster.local
DNS.2 = kafka-1.kafka-headless.kafka.svc.cluster.local
DNS.3 = kafka-2.kafka-headless.kafka.svc.cluster.local
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment