Hi Rohan, Thanks for the quick response. I do have some troubles with providing certificate chain to brokers... This is how I set up keystore and truststore and provide them in server.properties
1. generate pkcs12 file for broker key/cert and cert chain kafka-key is broker's private key cert-signed is broker's cert signed by intermediate CA, which is signed by a self-signed root CA bundle-cert is concatenation of brokers's cert(cert-signed), intermediate CA's cert(ca1-cert) and root CA's(caroot-cert) cert openssl pkcs12 -export -inkey kafka-key -in cert-signed -out bundle-cert.pkcs12 -password pass:123456 -chain -CAfile bundle-cert 2. import pkcs12 file to broker's keystore keytool -importkeystore -srckeystore bundle-cert.pkcs12 -srcstoretype PKCS12 -destkeystore kafka.server.keystore.jks -deststorepass 123456 -srcstorepass 123456 -noprompt 3. import root CA's certificate to broker's trust store keytool -keystore kafka.server.truststore.jks -alias caroot -import -file caroot-cert -storepass 123456 -noprompt 4. Provide them in server.properties After the above 4 steps, brokers(I have 4 brokers) do not communicate with each other, unless intermediate CA's cert is added to broker's truststore. Then I use kafkacat try to produce data through SSL, and always errors out no matter root CA's cert or intermediate CA's cert is provided, kafkacat's cert is signed with intermediate CA's cert in this case. It looks like there is problem with verifying the chain set in brokers. [12:47:33][release@ip-10-0-32-125:]$ kafkacat -P -X metadata.broker.list=hostname -X ssl.ca.location=ca1-cert -X security.protocol=ssl -X ssl.certificate.location=kafkacat.pem -X ssl.key.location=kafkacat.key -X ssl.key.password=123456 -b hostname:9093 -t topic_name -p 0 m-1.dat %3|1541785738.749|FAIL|rdkafka#producer-1| [thrd:ssl:// 10.0.32.125:9093/bootstrap]: ssl://10.0.32.125:9093/bootstrap: Failed to verify broker certificate: self signed certificate in certificate chain % ERROR: Local: SSL error: ssl://10.0.32.125:9093/bootstrap: Failed to verify broker certificate: self signed certificate in certificate chain % ERROR: Local: All broker connections are down: 1/1 brokers are down: terminating [12:48:58][release@ip-10-0-32-125:]$ kafkacat -P -X metadata.broker.list=hostname -X ssl.ca.location=caroot-cert -X security.protocol=ssl -X ssl.certificate.location=kafkacat.pem -X ssl.key.location=kafkacat.key -X ssl.key.password=123456 -b hostname:9093 -t topic_name -p 0 m-1.dat %3|1541785747.751|FAIL|rdkafka#producer-1| [thrd:ssl:// 10.0.32.125:9093/bootstrap]: ssl://10.0.32.125:9093/bootstrap: Failed to verify broker certificate: invalid CA certificate % ERROR: Local: SSL error: ssl://10.0.32.125:9093/bootstrap: Failed to verify broker certificate: invalid CA certificate % ERROR: Local: All broker connections are down: 1/1 brokers are down: terminating Any clue what is going wrong? Thanks! Fang On Fri, Nov 9, 2018 at 12:57 PM Rohan Rasane <rohan.ras...@gmail.com> wrote: > Hi Fang, > You will need to create a CSR using the Private Key, then get that CSR > signed by your Certs team which should be able to add the root and > intermediate certs in the signed certs. Then you will have to add them to > your stores on the host. > > Let me know if you have any specific questions. > > -Rohan > > On Fri, Nov 9, 2018 at 6:18 AM Fang Xing <fang.x...@gmail.com> wrote: > > > Hello, > > > > I'm looking for some instructions about setting SSL in Kafka with > > certificate chains. There is instruction about settings for broker > > certificate issued by a self-signed root CA, however I didn't find > > information related to certificate chain. > > > > If the chain is like this: root ca -> intermediate ca -> kafka broker > > certificate/key, how to setup the keystore and truststore to include > > intermediate ca's certificate? Should it be put into keystore or > truststore > > in what format? > > > > Thanks! Fang > > > -- Regards, Fang
