Raghav,
*My guess about the problem is that I was generate a csr (certificate
signing request), which is different from actually extracting certificate.
Please correct me if I am wrong.*
Yes, that is correct. Use "keytool -exportcert" to extract the certificate.
*To actually address our problem
Raghav,
If you send me the full command sequence, I can take a look. Also, which
JRE are you using?
Regards,
Rajini
On Thu, May 18, 2017 at 12:19 PM, Raghav wrote:
> Rajini
>
> I just tried this. It turns out that I can't import cert-file by itself in
> trust store until it is signed by a CA.
Rajini
I just tried this. It turns out that I can't import cert-file by itself in
trust store until it is signed by a CA. Could be because of the format ?
Any idea here ...
In the above steps, if I sign the server-cert-file and client-cert-file by
a private CA then I can add them to trust store a
Raghav,
Perhaps what you want to do is:
*You do (for the brokers):*
Generate key-pair for broker:
keytool -keystore kafka.server.keystore.jks -alias localhost -validity 365
-genkey
Export certificate to a file to send to your customers:
keytool -exportcert -file server-cert-file -keystore
kaf
Rajini,
Sure, will submit a PR shortly.
Your answer is very helpful, but I think I did not put the question
correctly. Pardon my ignore but I am still trying to get my ways around
Kafka security.
I was trying to understand, can we (Kafka Broker) just add the certificate
(unsigned or signed) from
Raghav,
Yes, you can create a truststore with your customers' certificates and
vice-versa. It will be best to give your CA certificate to your customers
and get the CA certificate from each of your customers and add them to your
broker's truststore. You can both then create additional certificates
Another quick question:
Say we chose to add our customer's certificates directly to our brokers
trust store and vice verse, could that work ? There is no documentation on
Kafka or Confluent site for this ?
Thanks.
On Wed, May 17, 2017 at 1:56 PM, Rajini Sivaram
wrote:
> Raghav,
>
> 1. Yes, yo
Raghav,
1. Yes, your customers can use certificates signed by a trusted authority.
You can simply omit the truststore configuration for your broker in
server.properties, and Kafka would use the default, which will trust the
client certificates. If your brokers are using SSL for inter-broker
commun
One follow up questions Rajini:
1. Can we use some other mechanism like have our customer's use a well
known CA which JKS understands, and in that case we don't have to ask our
customers to do this certificate-in and certificate-out thing ? I am just
trying to understand if we can make our custome
Many thanks, Rajini.
On Tue, May 16, 2017 at 8:43 AM, Rajini Sivaram
wrote:
> Hi Raghav,
>
> If your Kafka broker is configured with *ssl.client.auth=required,* your
> customer's clients need to provide a keystore. In any case, they need a
> truststore since your broker is using SSL. For the tru
Hi Raghav,
If your Kafka broker is configured with *ssl.client.auth=required,* your
customer's clients need to provide a keystore. In any case, they need a
truststore since your broker is using SSL. For the truststore, you can
given them ca-cert, as you mentioned. Client keystore contains a
certif
Hi Rajini
This was very helpful. I have another questions on similar lines.
We host Kafka Broker, and we also have our own private CA. We want our
customers to setup their Kafka Clients (Producer and Consumer) using SSL
using *ssl.client.auth=required*.
Is there a way, we can generate certificat
Raqhav,
1. Clients need a keystore if you are using TLS client authentication. To
enable client authentication, you need to configure ssl.client.auth in
server.properties. This can be set to required|requested|none. If you don't
enable client authentication, any client will be able to connect to y
Hi
I read the documentation here:
https://kafka.apache.org/documentation/#security_ssl
I have few questions about trust store and keystore based on this scenario:
We have 5 Kafka Brokers in our cluster. We want our clients to write to our
Kafka brokers in a secure way. Suppose, we also host a pr
14 matches
Mail list logo
