Step 3: Sign the certificate
Learn how to self-sign certificates created for Kafka.
- Create a certificate request from the keystore:
keytool -keystore server.keystore.jks -alias localhost -certreq -file cert-file
where:
- keystore: the location of the keystore
- cert-file: the exported, unsigned certificate of the server
- Sign the resulting certificate with the CA (in the real world, this can be done using a
real CA):
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days validity -CAcreateserial -passin pass:ca-password
where:
- ca-cert: the certificate of the CA
- ca-key: the private key of the CA
- cert-signed: the signed certificate of the server
- ca-password: the passphrase of the CA
- Import both the certificate of the CA and the signed
certificate into the keystore:
keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert keytool -keystore server.keystore.jks -alias localhost -import -file cert-signed
The following Bash script demonstrates the steps
described above. One of the commands assumes a password of
SamplePassword123
, so either use that password
or edit the command before running it.
#!/bin/bash #Step 1 keytool -keystore server.keystore.jks -alias localhost -validity 365 -genkey #Step 2 openssl req -new -x509 -keyout ca-key -out ca-cert -days 365 keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert #Step 3 keytool -keystore server.keystore.jks -alias localhost -certreq -file cert-file openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:SamplePassword123 keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert keytool -keystore server.keystore.jks -alias localhost -import -file cert-signed