krzysztofantczak/002.Kafka.PKCS12.SSL

## 002.Kafka.PKCS12.SSL
#

## conf_ca.cnf
[req]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = v3_ca

[req_distinguished_name]
C = EU
ST = PL
L = YourCity
O = YourOrganization
CN = CACommonName

[v3_ca]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash

## conf_cert.cnf
[req]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = v3_req

[req_distinguished_name]
C = EU
ST = PL
L = YourCity
O = YourOrganization
CN = KafkaCommonName

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
IP.1 = 127.0.0.1

## conf_client.cnf
[req]
prompt = no
distinguished_name = req_distinguished_name
x509_extensions = v3_req

[req_distinguished_name]
C = EU
ST = PL
L = YourCity
O = YourOrganization
CN = ClientCommonName

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = clientAuth

## scripts_generate_certs.sh
#!/bin/sh

# Step 1: Generate a CA Key and Certificate (Truststore)
openssl genpkey -algorithm RSA -out certs/ca-key.pem
openssl req -new -x509 -key certs/ca-key.pem -out certs/ca-cert.pem -days 365 -config conf/ca.cnf

# Step 2: Generate a Keypair and Keystore for broker-broker communication
for i in {1..3}
do
  openssl genpkey -algorithm RSA -out key$i.pem
  openssl req -new -key key$i.pem -out csr$i.pem -config conf/cert.cnf
  openssl x509 -req -in csr$i.pem -CA certs/ca-cert.pem -CAkey certs/ca-key.pem -out cert$i.pem -CAcreateserial
  openssl pkcs12 -export -in cert$i.pem -inkey key$i.pem -out certs/keystore$i.p12 -name kafka-keystore -passout pass:your_keystore_password
done

# Step 3: Convert the CA Key and Certificate to PKCS12 format (Truststore)
openssl pkcs12 -export -in certs/ca-cert.pem -inkey certs/ca-key.pem -out certs/truststore.p12 -name kafka-truststore -passout pass:your_truststore_password

# Cleanup intermediate files
rm -f csr*.pem cert*.pem ca-cert.srl

echo "Certificates and keystores generated successfully."

## scripts_generate_client_cert.sh
#!/bin/sh

# Step 1: Generate a client key and certificate
openssl genpkey -algorithm RSA -out client-key.pem
openssl req -new -key client-key.pem -out client-csr.pem -config conf/client.cnf
openssl x509 -req -in client-csr.pem -CA certs/ca-cert.pem -CAkey certs/ca-key.pem -out certs/client-cert.pem -CAcreateserial

# Step 2: Convert the client key and certificate to PKCS12 format (Client Keystore)
openssl pkcs12 -export -in certs/client-cert.pem -inkey client-key.pem -out certs/client-keystore.p12 -name kafka-client -passout pass:your_client_keystore_password

# Cleanup intermediate files
rm -f client-csr.pem certs/client-cert.srl

echo "Client certificate and keystore generated successfully."

## server.properties
process.roles=broker,controller
node.id=1
controller.quorum.voters=1@kafka01:29190,2@kafka02:29290,3@kafka03:29390
listeners=CONTROLLER://0.0.0.0:29190,SSL://0.0.0.0:29193
inter.broker.listener.name=SSL
advertised.listeners=SSL://10.5.50.77:29193
delete.topic.enable=true
controller.listener.names=CONTROLLER
listener.security.protocol.map=CONTROLLER:PLAINTEXT,PLAINTEXT:PLAINTEXT,SSL:SSL,SASL_PLAINTEXT:SASL_PLAINTEXT,SASL_SSL:SASL_SSL,JINPC_PLAINTEXT:PLAINTEXT
num.network.threads=3
num.io.threads=8
socket.send.buffer.bytes=102400
socket.receive.buffer.bytes=102400
socket.request.max.bytes=104857600
log.dirs=/var/lib/kafka/data
num.partitions=8
default.replication.factor=3
min.insync.replicas=2
num.recovery.threads.per.data.dir=1
offsets.topic.replication.factor=3
transaction.state.log.replication.factor=3
transaction.state.log.min.isr=2
log.retention.hours=168
log.segment.bytes=1073741824

auto.create.topics.enable=true

log.retention.check.interval.ms=300000
controlled.shutdown.enable=true
offsets.retention.minutes=10080
replica.lag.time.max.ms=30000

ssl.keystore.type=PKCS12
ssl.keystore.location=/etc/kafka/secrets/keystore1.p12
ssl.keystore.password=your_keystore_password

ssl.truststore.location=/etc/kafka/secrets/truststore.p12
ssl.truststore.password=your_truststore_password

ssl.client.auth=required
#ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
ssl.enabled.protocols=TLSv1.3
ssl.endpoint.identification.algorithm=
	[req]
	prompt = no
	distinguished_name = req_distinguished_name
	x509_extensions = v3_ca

	[req_distinguished_name]
	C = EU
	ST = PL
	L = YourCity
	O = YourOrganization
	CN = CACommonName

	[v3_ca]
	basicConstraints = CA:TRUE
	subjectKeyIdentifier = hash
	#!/bin/sh

	# Step 1: Generate a CA Key and Certificate (Truststore)
	openssl genpkey -algorithm RSA -out certs/ca-key.pem
	openssl req -new -x509 -key certs/ca-key.pem -out certs/ca-cert.pem -days 365 -config conf/ca.cnf

	# Step 2: Generate a Keypair and Keystore for broker-broker communication
	for i in {1..3}
	do
	openssl genpkey -algorithm RSA -out key$i.pem
	openssl req -new -key key$i.pem -out csr$i.pem -config conf/cert.cnf
	openssl x509 -req -in csr$i.pem -CA certs/ca-cert.pem -CAkey certs/ca-key.pem -out cert$i.pem -CAcreateserial
	openssl pkcs12 -export -in cert$i.pem -inkey key$i.pem -out certs/keystore$i.p12 -name kafka-keystore -passout pass:your_keystore_password
	done

	# Step 3: Convert the CA Key and Certificate to PKCS12 format (Truststore)
	openssl pkcs12 -export -in certs/ca-cert.pem -inkey certs/ca-key.pem -out certs/truststore.p12 -name kafka-truststore -passout pass:your_truststore_password

	# Cleanup intermediate files
	rm -f csr.pem cert.pem ca-cert.srl

	echo "Certificates and keystores generated successfully."
	#!/bin/sh

	# Step 1: Generate a client key and certificate
	openssl genpkey -algorithm RSA -out client-key.pem
	openssl req -new -key client-key.pem -out client-csr.pem -config conf/client.cnf
	openssl x509 -req -in client-csr.pem -CA certs/ca-cert.pem -CAkey certs/ca-key.pem -out certs/client-cert.pem -CAcreateserial

	# Step 2: Convert the client key and certificate to PKCS12 format (Client Keystore)
	openssl pkcs12 -export -in certs/client-cert.pem -inkey client-key.pem -out certs/client-keystore.p12 -name kafka-client -passout pass:your_client_keystore_password

	# Cleanup intermediate files
	rm -f client-csr.pem certs/client-cert.srl

	echo "Client certificate and keystore generated successfully."
	process.roles=broker,controller
	node.id=1
	controller.quorum.voters=1@kafka01:29190,2@kafka02:29290,3@kafka03:29390
	listeners=CONTROLLER://0.0.0.0:29190,SSL://0.0.0.0:29193
	inter.broker.listener.name=SSL
	advertised.listeners=SSL://10.5.50.77:29193
	delete.topic.enable=true
	controller.listener.names=CONTROLLER
	listener.security.protocol.map=CONTROLLER:PLAINTEXT,PLAINTEXT:PLAINTEXT,SSL:SSL,SASL_PLAINTEXT:SASL_PLAINTEXT,SASL_SSL:SASL_SSL,JINPC_PLAINTEXT:PLAINTEXT
	num.network.threads=3
	num.io.threads=8
	socket.send.buffer.bytes=102400
	socket.receive.buffer.bytes=102400
	socket.request.max.bytes=104857600
	log.dirs=/var/lib/kafka/data
	num.partitions=8
	default.replication.factor=3
	min.insync.replicas=2
	num.recovery.threads.per.data.dir=1
	offsets.topic.replication.factor=3
	transaction.state.log.replication.factor=3
	transaction.state.log.min.isr=2
	log.retention.hours=168
	log.segment.bytes=1073741824

	auto.create.topics.enable=true

	log.retention.check.interval.ms=300000
	controlled.shutdown.enable=true
	offsets.retention.minutes=10080
	replica.lag.time.max.ms=30000

	ssl.keystore.type=PKCS12
	ssl.keystore.location=/etc/kafka/secrets/keystore1.p12
	ssl.keystore.password=your_keystore_password

	ssl.truststore.location=/etc/kafka/secrets/truststore.p12
	ssl.truststore.password=your_truststore_password

	ssl.client.auth=required
	#ssl.enabled.protocols=TLSv1.2,TLSv1.1,TLSv1
	ssl.enabled.protocols=TLSv1.3
	ssl.endpoint.identification.algorithm=