Many thanks, Rajini. On Tue, May 16, 2017 at 8:43 AM, Rajini Sivaram <rajinisiva...@gmail.com> wrote:
> Hi Raghav, > > If your Kafka broker is configured with *ssl.client.auth=required,* your > customer's clients need to provide a keystore. In any case, they need a > truststore since your broker is using SSL. For the truststore, you can > given them ca-cert, as you mentioned. Client keystore contains a > certificate and a private key. > > In the round-trip you described, customers generate the keys and give you > the certificate signing request, keeping their private key private. You > then send them back a signed certificate that goes into their keystore. > This is the standard way of signing and is secure. > > In the single step scenario that you described, you generate the > customer's key-pair consisting of certificate and private key. You then > need to send them both the signed certificate and the private key. This is > less secure. Unlike the round-trip, you now have the private key of the > customer. > > Regards, > > Rajini > > > On Tue, May 16, 2017 at 10:47 AM, Raghav <raghavas...@gmail.com> wrote: > >> Hi Rajini >> >> This was very helpful. I have another questions on similar lines. >> >> We host Kafka Broker, and we also have our own private CA. We want our >> customers to setup their Kafka Clients (Producer and Consumer) using SSL >> using *ssl.client.auth=required*. >> >> Is there a way, we can generate certificate for our clients, sign it >> using our private CA, and then hand over our customers these two >> certificates (1. ca-cert 2. cert-signed), which if they add to their >> keystroke and truststore, they can send message to our Kafka brokers while >> keeping *ssl.client.auth=required*. >> >> We are looking to minimize our customer's pre-setup steps. For example in >> normal scenario, customers will need to generate certificate, and hand over >> their certificate request to our private CA, which we then sign it, and >> send them signed certificate and private CA's certificate. So there is one >> round trip. Just wondering if we can reduce this 2 step into 1 step. >> >> Thanks. >> >> >> >> >> >> >> >> >> >> >> >> On Fri, May 12, 2017 at 8:53 AM, Rajini Sivaram <rajinisiva...@gmail.com> >> wrote: >> >>> Raqhav, >>> >>> 1. Clients need a keystore if you are using TLS client authentication. To >>> enable client authentication, you need to configure ssl.client.auth in >>> server.properties. This can be set to required|requested|none. If you >>> don't >>> enable client authentication, any client will be able to connect to your >>> broker. You could alternatively use SASL for client authentication. >>> . >>> 2. Client keystore is mandatory if ssl.client.auth=required, optional for >>> requested and not used for none. The truststore configured on the client >>> is >>> used to authenticate the server. So you have to provide it unless your >>> broker is using certificates signed by a trusted authority. >>> >>> Hope that helps. >>> >>> Rajini >>> >>> On Fri, May 12, 2017 at 11:35 AM, Raghav <raghavas...@gmail.com> wrote: >>> >>> > Hi >>> > >>> > I read the documentation here: >>> > https://kafka.apache.org/documentation/#security_ssl >>> > >>> > I have few questions about trust store and keystore based on this >>> scenario: >>> > >>> > We have 5 Kafka Brokers in our cluster. We want our clients to write >>> to our >>> > Kafka brokers in a secure way. Suppose, we also host a private CA as >>> > mentioned in the documentation above, and provide our clients the >>> *ca-cert* >>> > file, which they add it to their trust store. >>> > >>> > 1. Do we require our clients to generate their certificate and have it >>> > signed by our private CA, and add it to their keystore? >>> > >>> > 2. When is keystore used by clients, and when is truststore used by >>> clients >>> > ? >>> > >>> > >>> > Thanks. >>> > >>> > -- >>> > R >>> > >>> >> >> >> >> -- >> Raghav >> > > -- Raghav
