Last active
June 3, 2021 18:02
-
-
Save osowski/6abf268e9d7ab521481cc35523bc50f6 to your computer and use it in GitHub Desktop.
Streamlined version of confluent-platform-security-tools script to generate SSL certificates from a pre-existing CA crt/key.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Customized version of https://github.com/confluentinc/confluent-platform-security-tools | |
# Starting with confluentCA.pem & confluentCA.key provided by Administrator (which is created prior to Confluent Platform install) | |
DNAME="C=UK, ST=LON,L=LON,O=IBMTest,OU=Cloud,CN=confluent-platform-security" | |
# Create truststore from provided CA certificate | |
keytool -keystore kafka.cps1.truststore.jks -alias CARoot -import -file confluentCA.pem -noprompt -dname "${DNAME}" -keypass cps-password1 -storepass cps-password1 | |
# Create client keystore containing a key pair and a self-signed certificate | |
keytool -keystore kafka.cps1.keystore.jks -alias localhost -validity 3650 -genkey -keyalg RSA -noprompt -dname "${DNAME}" -keypass cps-password1 -storepass cps-password1 | |
# Create certificate signing request from the keystore's key pair | |
keytool -keystore kafka.cps1.keystore.jks -alias localhost -certreq -file keystore.csr -keypass cps-password1 -storepass cps-password1 | |
# Sign the keystore's certificate with the truststore's private key (CA) (aka approve the certificate signing request) | |
openssl x509 -req -CA confluentCA.pem -CAkey confluentCA.key -in keystore.csr -out keystore-signed-cert -days 3650 -CAcreateserial | |
# Import the CA into the keystore | |
keytool -keystore kafka.cps1.keystore.jks -alias CARoot -import -file confluentCA.pem -keypass cps-password1 -storepass cps-password1 -noprompt | |
# Import the signed certificate back into the keystore | |
keytool -keystore kafka.cps1.keystore.jks -alias localhost -import -file keystore-signed-cert -keypass cps-password1 -storepass cps-password1 | |
# Remove intermediate (non-Truststore/Keystore) files | |
rm keystore-signed-cert keystore.csr | |
# Create a config.properties file with the following values | |
## ssl.keystore.location=/.../kafka.cps1.keystore.jks | |
## ssl.keystore.password=cps-password1 | |
## ssl.key.password=cps-password1 | |
## ssl.truststore.location=/.../kafka.cps1.truststore.jks | |
## ssl.truststore.password=cps-password1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment