The MSFT Certificate Server does not have a product name per se. We have an internal Certificate Server in our AD infrastructure. In this use case I just generate a key pair on the UNIX side in a JKS. Then create a Certificate Signing Request (CSR) from that key. Then I sign it with our internal Certificate Authority. The result is a DER encoded cert which is imported back into the key store for the original alias. I also import our Root CA.
At this point the JKS used by the Rest Proxy has a trustedCertEntry for the RootCA and a PrivateKeyEntry for my server. Then I take the keystore and dump it to PKCS12 format. This file is then imported into the local cert store on the Windows server. From that point I can specify the thumbprint of the cert to use when calling the Rest Proxy. Not exactly pretty, but we have to deal with Windows in our environment. This is a test script in powershell #************************************* #********CERTIFICATE LOADING********** #************************************* $checkURL="https://whateveryourURL.company.com:8082/topics"; $CertNumber="C47156654F949E8058E83F30D61C520E6FA209C2" # LOAD CERTIFICATE FROM STORE $Certificate = Get-ChildItem -Path Cert:\LocalMachine\My\$CertNumber # CREATE WEB REQUEST $req = [system.Net.HttpWebRequest]::Create($checkURL) # ADD CERTS TO WEB REQUEST $req.ClientCertificates.AddRange($Certificate) #************************************* #***********READING SITE************** #************************************* #SET TIMEOUT $req.Timeout=10000 # GET WEB RESPONSE $res = $req.GetResponse() # GET DATA FROM RESPONSE $ResponseStream = $res.GetResponseStream() # Create a stream reader and read the stream returning the string value. $StreamReader = New-Object System.IO.StreamReader -ArgumentList $ResponseStream # BUILD STRING FROM RESPONSE $strHtml = $StreamReader.ReadToEnd() $strHtml Gene Robichaux Senior Architect, Site Operations Match.com 8750 North Central Expressway I Suite 1400 I Dallas, TX 75231 -----Original Message----- From: Martin Gainty [mailto:mgai...@hotmail.com] Sent: Wednesday, February 01, 2017 3:56 PM To: users@kafka.apache.org Subject: Re: Anyone have guide for setting up the rest proxy using SSL and Client authentication Unfortunately im more of a nix guy I take it windows has a CA server which will parse cert and lookup attrs (CN?) to name-server? what is the Microsoft CA server called? if cert is parsed and keys match which name-server do you use to lookup attrs (CN?) in that scenario? Merci Eugene Martin ______________________________________________ _____ _ _____ _ _____ ___ _ _____ _ _ _ |_ _| |_ ___ | _ |___ ___ ___| |_ ___ | __|___| _| |_ _ _ _ ___ ___ ___ | __|___ _ _ ___ _| |___| |_|_|___ ___ | | | | -_| | | . | .'| _| | -_| |__ | . | _| _| | | | .'| _| -_| | __| . | | | | . | .'| _| | . | | |_| |_|_|___| |__|__| _|__,|___|_|_|___| |_____|___|_| |_| |_____|__,|_| |___| |__| |___|___|_|_|___|__,|_| |_|___|_|_| |_| ________________________________ From: Gene Robichaux <gene.robich...@match.com> Sent: Wednesday, February 1, 2017 2:31 PM To: users@kafka.apache.org Subject: RE: Anyone have guide for setting up the rest proxy using SSL and Client authentication Not really. I have managed to generate a cert with a single common CN, sign that with my internal CA and import that to the keystore that is referenced by the Kafka-Rest Proxy. I then distribute that Java Keystore (JKS) to all of the servers running the Rest API. The last part is to export that cert and import that to the local certificate stores only on the windows web servers that need access. When a webrequest is made it is made using that certificate. Also the rootCA and any intermediate certs are in the truststore on the server AND in the local cert store on the web servers. So I got it to work. Gene Robichaux Senior Architect, Site Operations Match.com 8750 North Central Expressway I Suite 1400 I Dallas, TX 75231 -----Original Message----- From: Martin Gainty [mailto:mgai...@hotmail.com] Sent: Wednesday, February 01, 2017 12:54 PM To: users@kafka.apache.org Subject: Re: Anyone have guide for setting up the rest proxy using SSL and Client authentication probably fighting an uphill battle sending cleartext POSTS and GETS with REST calls most apache server folk who secure HTTP 1.1 server will front end with CA (provided by thawte,verisign,GeoTrust) https://www.geotrust.com [https://seal.geotrust.com/getgeotrustsslseal?at=0&sealid=1&dn=www.geotrust.com&lang=en&gmtoff=0]<https://www.geotrust.com/> GeoTrust® | Purchase SSL Certificates & Code Signing ...<https://www.geotrust.com/> www.geotrust.com<http://www.geotrust.com> Guarantee online customer security with SSL certificates from GeoTrust. Purchase in bulk, manage multiple certificates & become your own Certificate Authority. once the credentials from cert are validated against <CA/Client> nameserver (LDAP) and the keys match a secure handshake is initiated and the SSL request is redirected to your HTTP 1.1 server does this help? Martin ______________________________________________ LoveChatTranscript October 2016 >From Huma Mahmood Abedin>Single lady looking for Love From >LoveStruckValidimir>Yes i am rich single caucasian looking for love From Huma >Mahmood Abedin>where are your from Vladimir? >From LoveStruckValidimir>currently in Crimea From Huma Mahmood Abedin>is that >in Ukraine? >From LoveStruckValidimir>no crimea is part of Russia now From >LoveStruckValidimir>what do you do? >From Huma Mahmood Abedin>Chief of Staff for "We are stronger Together" >campaign From LoveStruckValidimir>i send you gift ..Elf on Shelf ..place next >to bosses InternetRouter From Huma Mahmood Abedin>ok ________________________________ From: Gene Robichaux <gene.robich...@match.com> Sent: Wednesday, February 1, 2017 12:52 PM To: users@kafka.apache.org Subject: Anyone have guide for setting up the rest proxy using SSL and Client authentication We are looking at the Rest Proxy for our environment but we want to secure connections to the Rest proxy via SSL AND Client Certificate authentication. The SSL part is no big deal but I am struggling mightly with the client authentication portion. Does someone have some details on how to properly set this up? The general architecture is 3 rest proxies behind a load balancer. Windows web servers posting messages through the LB to the three proxies. I have not really seen anyone running this configuration with client authentication. Any help would be appreciated. Gene Robichaux Senior Architect, Site Operations Match.com 8750 North Central Expressway I Suite 1400 I Dallas, TX 75231 [cid:59D28919-2E4F-4F4A-9F0D-F4C776859901]
