Step 3: Sign the certificate

Learn how to self-sign certificates created for Kafka.

  1. Create a certificate request from the keystore:
    keytool -keystore server.keystore.jks -alias localhost -certreq -file cert-file

    where:

    • keystore: the location of the keystore
    • cert-file: the exported, unsigned certificate of the server
  2. Sign the resulting certificate with the CA (in the real world, this can be done using a real CA):
    openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days validity -CAcreateserial -passin pass:ca-password

    where:

    • ca-cert: the certificate of the CA
    • ca-key: the private key of the CA
    • cert-signed: the signed certificate of the server
    • ca-password: the passphrase of the CA
  3. Import both the certificate of the CA and the signed certificate into the keystore:
    
    keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert
    keytool -keystore server.keystore.jks -alias localhost -import -file cert-signed

The following Bash script demonstrates the steps described above. One of the commands assumes a password of SamplePassword123, so either use that password or edit the command before running it.


#!/bin/bash
#Step 1
keytool -keystore server.keystore.jks -alias localhost -validity 365 -genkey
#Step 2
openssl req -new -x509 -keyout ca-key -out ca-cert -days 365
keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert
keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert
#Step 3
keytool -keystore server.keystore.jks -alias localhost -certreq -file cert-file
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:SamplePassword123
keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert
keytool -keystore server.keystore.jks -alias localhost -import -file cert-signed