Skip to content

Instantly share code, notes, and snippets.

Last active June 3, 2021 18:02
Show Gist options
  • Save osowski/6abf268e9d7ab521481cc35523bc50f6 to your computer and use it in GitHub Desktop.
Save osowski/6abf268e9d7ab521481cc35523bc50f6 to your computer and use it in GitHub Desktop.
Streamlined version of confluent-platform-security-tools script to generate SSL certificates from a pre-existing CA crt/key.
# Customized version of
# Starting with confluentCA.pem & confluentCA.key provided by Administrator (which is created prior to Confluent Platform install)
DNAME="C=UK, ST=LON,L=LON,O=IBMTest,OU=Cloud,CN=confluent-platform-security"
# Create truststore from provided CA certificate
keytool -keystore kafka.cps1.truststore.jks -alias CARoot -import -file confluentCA.pem -noprompt -dname "${DNAME}" -keypass cps-password1 -storepass cps-password1
# Create client keystore containing a key pair and a self-signed certificate
keytool -keystore kafka.cps1.keystore.jks -alias localhost -validity 3650 -genkey -keyalg RSA -noprompt -dname "${DNAME}" -keypass cps-password1 -storepass cps-password1
# Create certificate signing request from the keystore's key pair
keytool -keystore kafka.cps1.keystore.jks -alias localhost -certreq -file keystore.csr -keypass cps-password1 -storepass cps-password1
# Sign the keystore's certificate with the truststore's private key (CA) (aka approve the certificate signing request)
openssl x509 -req -CA confluentCA.pem -CAkey confluentCA.key -in keystore.csr -out keystore-signed-cert -days 3650 -CAcreateserial
# Import the CA into the keystore
keytool -keystore kafka.cps1.keystore.jks -alias CARoot -import -file confluentCA.pem -keypass cps-password1 -storepass cps-password1 -noprompt
# Import the signed certificate back into the keystore
keytool -keystore kafka.cps1.keystore.jks -alias localhost -import -file keystore-signed-cert -keypass cps-password1 -storepass cps-password1
# Remove intermediate (non-Truststore/Keystore) files
rm keystore-signed-cert keystore.csr
# Create a file with the following values
## ssl.keystore.location=/.../kafka.cps1.keystore.jks
## ssl.keystore.password=cps-password1
## ssl.key.password=cps-password1
## ssl.truststore.location=/.../kafka.cps1.truststore.jks
## ssl.truststore.password=cps-password1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment