Created
July 5, 2019 16:45
-
-
Save hectorgool/f0443a7a9d708b5c403468594955577a to your computer and use it in GitHub Desktop.
Para generar los certificados para Kafka
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openssl req -new -newkey rsa:4096 -days 365 -x509 -subj "/CN=Kafka-Security-CA" -keyout ca-key -out ca-cert -nodes | |
# ca-cert publico | |
# ca-key privado | |
#ssl port 9093 | |
export SRVPASS=serversecret | |
#para crear un kafka broker certificate | |
#CN callname => el dns publico | |
keytool -genkey -keystore kafka.server.keystore.jks -validity 365 -storepass $SRVPASS -keypass $SRVPASS -dname "CN=yourdomain.com" -storetype pkcs12 | |
keytool -list -v -keystore kafka.server.keystore.jks | |
Enter keystore password: serversecret | |
keytool -keystore kafka.server.keystore.jks -certreq -file cert-file -storepass $SRVPASS -keypass $SRVPASS | |
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:$SRVPASS | |
keytool -printcert -v -file cert-signed | |
keytool -keystore kafka.server.truststore.jks -alias CARoot -import -file ca-cert -storepass $SRVPASS -keypass $SRVPASS -noprompt | |
keytool -keystore kafka.server.keystore.jks -alias CARoot -import -file ca-cert -storepass $SRVPASS -keypass $SRVPASS -noprompt | |
keytool -keystore kafka.server.keystore.jks -import -file cert-signed -storepass $SRVPASS -keypass $SRVPASS -noprompt | |
# para reiniciar el servidor de kafka | |
sudo systemctl restart kafka | |
# para checar el status de kafka | |
sudo systemctl status kafka | |
#para el puerto cifrado como cliente desde una terminal: | |
#openssl s_client -connect yourdomain.com:9093 | |
#debe de aparecer un mensaje que dice: CONNECTED...... | |
# cert-file, debería ser borrado despues de crear todos los archivos | |
# nunca distribuir: ca-key, kafka.server.keystore.jks | |
# ca-cert y cert-signed son los que se distribuyen publicamente a todos los clientes |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment