我要评论证书生成
在kafka安装目录下/certificates生成keystore和trust文件,在其中一台机器声生成证书,然后将
生成的server.keystore.jks和server.truststore.jks文件拷贝其他broker节点上去即可
1.生成keystore
[root@m1 certificates]# keytool -keystore server.keystore.jks -alias kafka -validity 3650 -genkey -keyalg rsa -storetype pkcs12 -storepass 123456 -keypass 123456 -dname "cn=*.machine.com, ou=jd, o=jd, l=beijing, st=beijing, c=cn"
[root@m1 certificates]# ls -al
total 4
drwxr-xr-x. 2 root root 33 may 21 17:08 .
drwxr-xr-x. 8 root root 149 may 21 17:03 ..
-rw-r--r--. 1 root root 2565 may 21 17:08 server.keystore.jks
2.创建ca(certificate authority:认证机构)
[root@m1 certificates]# openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650 -passin pass:123456 -passout pass:123456 -subj "/c=cn/st=beijing/l=beijing/o=jd/cn=*.machine.com"
generating a 2048 bit rsa private key
.......................................................................+++
.................................................................+++
writing new private key to 'ca-key'
-----
[root@m1 certificates]# ls -al
total 12
drwxr-xr-x. 2 root root 62 may 21 17:13 .
drwxr-xr-x. 8 root root 149 may 21 17:03 ..
-rw-r--r--. 1 root root 1273 may 21 17:13 ca-cert
-rw-r--r--. 1 root root 1834 may 21 17:13 ca-key
-rw-r--r--. 1 root root 2565 may 21 17:08 server.keystore.jks
3.导入ca到truststore
[root@m1 certificates]# keytool -keystore server.truststore.jks -alias caroot -import -file ca-cert -storepass 123456 -keypass 123456 -noprompt
certificate was added to keystore
[root@m1 certificates]# ls -al
total 16
drwxr-xr-x. 2 root root 91 may 21 17:18 .
drwxr-xr-x. 8 root root 149 may 21 17:03 ..
-rw-r--r--. 1 root root 1273 may 21 17:13 ca-cert
-rw-r--r--. 1 root root 1834 may 21 17:13 ca-key
-rw-r--r--. 1 root root 2565 may 21 17:08 server.keystore.jks
-rw-r--r--. 1 root root 962 may 21 17:18 server.truststore.jks
- 从keystore中导出证书
[root@m1 certificates]# keytool -keystore server.keystore.jks -alias kafka -certreq -file cert-file -storepass 123456 -keypass "123456
[root@m1 certificates]# ls -al
total 20
drwxr-xr-x. 2 root root 108 may 21 17:21 .
drwxr-xr-x. 8 root root 149 may 21 17:03 ..
-rw-r--r--. 1 root root 1273 may 21 17:13 ca-cert
-rw-r--r--. 1 root root 1834 may 21 17:13 ca-key
-rw-r--r--. 1 root root 1085 may 21 17:21 cert-file
-rw-r--r--. 1 root root 2565 may 21 17:08 server.keystore.jks
-rw-r--r--. 1 root root 962 may 21 17:18 server.truststore.jks
- 签发证书
[root@m1 certificates]# openssl x509 -req -ca ca-cert -cakey ca-key -in cert-file -out cert-signed -days 365 -cacreateserial -passin pass:123456
signature ok
subject=/c=cn/st=beijing/l=beijing/o=jd/ou=jd/cn=*.machine.com
getting ca private key
- 导入ca到keystore
[root@m1 certificates]# keytool -keystore server.keystore.jks -alias caroot -import -file ca-cert -storepass 123456 -keypass 123456 -noprompt
certificate was added to keystore
- 导入证书到keystore
[root@m1 certificates]# keytool -keystore server.keystore.jks -alias localhost -import -file cert-signed -storepass "123456" -keypass "123456"
:certificate was added to keystore
配置kafka broker
...
listeners=ssl://m1.machine.proxy:9093
advertised.listeners=ssl://m1.machine.proxy:9093
ssl.keystore.location=/export/server/kafka_2.11-2.4.1/certificates/server.keystore.jks
ssl.keystore.password=123456
ssl.truststore.location=/export/server/kafka_2.11-2.4.1/certificates/server.truststore.jks
ssl.truststore.password=123456
ssl.key.password=123456
ssl.endpoint.identification.algorithm=
security.inter.broker.protocol=ssl
ssl.client.auth=required
ssl.enabled.protocols=tlsv1.2
ssl.truststore.type=jks
ssl.keystore.type=jks
...
参考:https://www.ibm.com/docs/zh/cloud-paks/cp-biz-automation/21.0.3?topic=emitter-preparing-ssl-certificates-kafka
发表评论