证书生成
在kafka安装目录下/certificates生成keystore和trust文件,在其中一台机器声生成证书,然后将
生成的server.keystore.jks
和server.truststore.jks
文件拷贝其他broker节点上去即可
1.生成keystore
shell
[root@m1 certificates]# keytool -keystore server.keystore.jks -alias kafka -validity 3650 -genkey -keyalg RSA -storetype pkcs12 -storepass 123456 -keypass 123456 -dname "CN=*.machine.com, OU=JD, O=JD, L=Beijing, ST=Beijing, C=CN"
[root@m1 certificates]# ls -al
total 4
drwxr-xr-x. 2 root root 33 May 21 17:08 .
drwxr-xr-x. 8 root root 149 May 21 17:03 ..
-rw-r--r--. 1 root root 2565 May 21 17:08 server.keystore.jks
2.创建CA(Certificate Authority:认证机构)
shell
[root@m1 certificates]# openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650 -passin pass:123456 -passout pass:123456 -subj "/C=CN/ST=Beijing/L=Beijing/O=JD/CN=*.machine.com"
Generating a 2048 bit RSA private key
.......................................................................+++
.................................................................+++
writing new private key to 'ca-key'
-----
[root@m1 certificates]# ls -al
total 12
drwxr-xr-x. 2 root root 62 May 21 17:13 .
drwxr-xr-x. 8 root root 149 May 21 17:03 ..
-rw-r--r--. 1 root root 1273 May 21 17:13 ca-cert
-rw-r--r--. 1 root root 1834 May 21 17:13 ca-key
-rw-r--r--. 1 root root 2565 May 21 17:08 server.keystore.jks
3.导入CA到truststore
shell
[root@m1 certificates]# keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert -storepass 123456 -keypass 123456 -noprompt
Certificate was added to keystore
[root@m1 certificates]# ls -al
total 16
drwxr-xr-x. 2 root root 91 May 21 17:18 .
drwxr-xr-x. 8 root root 149 May 21 17:03 ..
-rw-r--r--. 1 root root 1273 May 21 17:13 ca-cert
-rw-r--r--. 1 root root 1834 May 21 17:13 ca-key
-rw-r--r--. 1 root root 2565 May 21 17:08 server.keystore.jks
-rw-r--r--. 1 root root 962 May 21 17:18 server.truststore.jks
- 从keystore中导出证书
shell
[root@m1 certificates]# keytool -keystore server.keystore.jks -alias kafka -certreq -file cert-file -storepass 123456 -keypass "123456
[root@m1 certificates]# ls -al
total 20
drwxr-xr-x. 2 root root 108 May 21 17:21 .
drwxr-xr-x. 8 root root 149 May 21 17:03 ..
-rw-r--r--. 1 root root 1273 May 21 17:13 ca-cert
-rw-r--r--. 1 root root 1834 May 21 17:13 ca-key
-rw-r--r--. 1 root root 1085 May 21 17:21 cert-file
-rw-r--r--. 1 root root 2565 May 21 17:08 server.keystore.jks
-rw-r--r--. 1 root root 962 May 21 17:18 server.truststore.jks
- 签发证书
shell
[root@m1 certificates]# openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:123456
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=JD/OU=JD/CN=*.machine.com
Getting CA Private Key
- 导入CA到keystore
shell
[root@m1 certificates]# keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert -storepass 123456 -keypass 123456 -noprompt
Certificate was added to keystore
- 导入证书到keystore
shell
[root@m1 certificates]# keytool -keystore server.keystore.jks -alias localhost -import -file cert-signed -storepass "123456" -keypass "123456"
:Certificate was added to keystore
配置kafka broker
properties
...
listeners=SSL://m1.machine.proxy:9093
advertised.listeners=SSL://m1.machine.proxy:9093
ssl.keystore.location=/export/server/kafka_2.11-2.4.1/certificates/server.keystore.jks
ssl.keystore.password=123456
ssl.truststore.location=/export/server/kafka_2.11-2.4.1/certificates/server.truststore.jks
ssl.truststore.password=123456
ssl.key.password=123456
ssl.endpoint.identification.algorithm=
security.inter.broker.protocol=SSL
ssl.client.auth=required
ssl.enabled.protocols=TLSv1.2
ssl.truststore.type=JKS
ssl.keystore.type=JKS
...