Step 3: Sign the certificate
Learn how to self-sign certificates created for Kafka.
- Create a certificate request from the keystore:
keytool -keystore server.keystore.jks -alias localhost -certreq -file cert-file
where:
- keystore: the location of the keystore
- cert-file: the exported, unsigned certificate of the server
- Sign the resulting certificate with the CA (in the real world, this can be done using a
real CA):
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days validity -CAcreateserial -passin pass:ca-password
where:
- ca-cert: the certificate of the CA
- ca-key: the private key of the CA
- cert-signed: the signed certificate of the server
- ca-password: the passphrase of the CA
- Import both the certificate of the CA and the signed
certificate into the keystore:
keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert keytool -keystore server.keystore.jks -alias localhost -import -file cert-signed
The following Bash script demonstrates the steps
described above. One of the commands assumes a password of
SamplePassword123
, so either use that password
or edit the command before running it.
#!/bin/bash
#Step 1
keytool -keystore server.keystore.jks -alias localhost -validity 365 -genkey
#Step 2
openssl req -new -x509 -keyout ca-key -out ca-cert -days 365
keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert
keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert
#Step 3
keytool -keystore server.keystore.jks -alias localhost -certreq -file cert-file
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:SamplePassword123
keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert
keytool -keystore server.keystore.jks -alias localhost -import -file cert-signed