Kafka SSL认证

证书生成

在kafka安装目录下/certificates生成keystore和trust文件，在其中一台机器声生成证书，然后将

生成的server.keystore.jks和server.truststore.jks文件拷贝其他broker节点上去即可

1.生成keystore

[root@m1 certificates]# keytool -keystore server.keystore.jks -alias kafka -validity 3650 -genkey -keyalg RSA -storetype pkcs12  -storepass 123456 -keypass 123456  -dname "CN=*.machine.com, OU=JD, O=JD, L=Beijing, ST=Beijing, C=CN"
[root@m1 certificates]# ls -al
total 4
drwxr-xr-x. 2 root root   33 May 21 17:08 .
drwxr-xr-x. 8 root root  149 May 21 17:03 ..
-rw-r--r--. 1 root root 2565 May 21 17:08 server.keystore.jks

2.创建CA（Certificate Authority：认证机构）

[root@m1 certificates]# openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650 -passin pass:123456 -passout pass:123456 -subj "/C=CN/ST=Beijing/L=Beijing/O=JD/CN=*.machine.com"
Generating a 2048 bit RSA private key
.......................................................................+++
.................................................................+++
writing new private key to 'ca-key'
-----
[root@m1 certificates]# ls -al
total 12
drwxr-xr-x. 2 root root   62 May 21 17:13 .
drwxr-xr-x. 8 root root  149 May 21 17:03 ..
-rw-r--r--. 1 root root 1273 May 21 17:13 ca-cert
-rw-r--r--. 1 root root 1834 May 21 17:13 ca-key
-rw-r--r--. 1 root root 2565 May 21 17:08 server.keystore.jks

3.导入CA到truststore

[root@m1 certificates]# keytool -keystore server.truststore.jks -alias CARoot -import -file  ca-cert -storepass 123456 -keypass 123456 -noprompt
Certificate was added to keystore
[root@m1 certificates]# ls -al
total 16
drwxr-xr-x. 2 root root   91 May 21 17:18 .
drwxr-xr-x. 8 root root  149 May 21 17:03 ..
-rw-r--r--. 1 root root 1273 May 21 17:13 ca-cert
-rw-r--r--. 1 root root 1834 May 21 17:13 ca-key
-rw-r--r--. 1 root root 2565 May 21 17:08 server.keystore.jks
-rw-r--r--. 1 root root  962 May 21 17:18 server.truststore.jks

4. 从keystore中导出证书

[root@m1 certificates]# keytool -keystore server.keystore.jks -alias kafka -certreq -file cert-file -storepass 123456 -keypass "123456
[root@m1 certificates]# ls -al
total 20
drwxr-xr-x. 2 root root  108 May 21 17:21 .
drwxr-xr-x. 8 root root  149 May 21 17:03 ..
-rw-r--r--. 1 root root 1273 May 21 17:13 ca-cert
-rw-r--r--. 1 root root 1834 May 21 17:13 ca-key
-rw-r--r--. 1 root root 1085 May 21 17:21 cert-file
-rw-r--r--. 1 root root 2565 May 21 17:08 server.keystore.jks
-rw-r--r--. 1 root root  962 May 21 17:18 server.truststore.jks

5. 签发证书

[root@m1 certificates]# openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:123456
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=JD/OU=JD/CN=*.machine.com
Getting CA Private Key

6. 导入CA到keystore

[root@m1 certificates]# keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert -storepass 123456 -keypass 123456 -noprompt
Certificate was added to keystore

7. 导入证书到keystore

[root@m1 certificates]# keytool -keystore server.keystore.jks -alias localhost -import -file cert-signed -storepass "123456" -keypass "123456"
:Certificate was added to keystore

配置kafka broker

...
listeners=SSL://m1.machine.proxy:9093
advertised.listeners=SSL://m1.machine.proxy:9093

ssl.keystore.location=/export/server/kafka_2.11-2.4.1/certificates/server.keystore.jks
ssl.keystore.password=123456
ssl.truststore.location=/export/server/kafka_2.11-2.4.1/certificates/server.truststore.jks
ssl.truststore.password=123456
ssl.key.password=123456
ssl.endpoint.identification.algorithm=
security.inter.broker.protocol=SSL
ssl.client.auth=required
ssl.enabled.protocols=TLSv1.2
ssl.truststore.type=JKS
ssl.keystore.type=JKS
...

参考：https://www.ibm.com/docs/zh/cloud-paks/cp-biz-automation/21.0.3?topic=emitter-preparing-ssl-certificates-kafka