I tried the keytool command suggested by you. still getting the same error.
On Fri, Jun 4, 2021 at 10:50 AM Ran Lupovich <ranlupov...@gmail.com> wrote: > The default format is jks, > > > use keytool to create a Java KeyStore (JKS) with the certificate and key > for use by Kafka. You'll be prompted to create a new password for the > resulting file as well as enter the password for the PKCS12 file from the > previous step. Hang onto the new JKS password for use in configuration > below. > > $ keytool -importkeystore -srckeystore server.p12 -destkeystore > kafka.server.keystore.jks -srcstoretype pkcs12 -alias > myserver.internal.net > > Note: It's safe to ignore the following warning from keytool. > > The JKS keystore uses a proprietary format. It is recommended to > migrate to PKCS12 which is an industry standard format using "keytool > -importkeystore -srckeystore server.p12 -destkeystore > kafka.server.keystore.jks -srcstoretype pkcs12" > > > בתאריך יום ו׳, 4 ביוני 2021, 07:40, מאת Dhirendra Singh < > dhirendr...@gmail.com>: > > > I am trying to setup 2 way ssl authentication. My requirement is broker > > should authenticate only specific clients. > > My organization has a CA which issue all certificates in pkcs12 format. > > steps i followed are as follows. > > > > 1. get a certificate for the broker and configured it in the broker > > keystore > > ssl.keystore.location=/home/kafka/certificate.p12 > > ssl.keystore.password=xxxxx > > ssl.client.auth=required > > 2. get a certificate for the client and configured it in the client > > keystore > > ssl.keystore.location=/home/kafka/certificate.p12 > > ssl.keystore.password=xxxxx > > 3. extracted the public certificate from the client certificate using > > keytool command > > keytool -export -file cert -keystore certificate.p12 -alias "12345" > > -storetype pkcs12 -storepass xxxxx > > 4. imported the certificate into broker truststore. broker truststore > > contains only the client 12345 certificate. > > keytool -keystore truststore.p12 -import -file cert -alias 12345 > > -storetype pkcs12 -storepass xxxxx -noprompt > > 5. configured the truststore in the broker. > > ssl.truststore.location=/home/kafka/truststore.p12 > > ssl.truststore.password=xxxxx > > 6. configured the truststore in client. client truststore contains CA > > certificates. > > ssl.truststore.location=/etc/pki/java/cacerts > > ssl.truststore.password=xxxxx > > > > When i run the broker and client i expect the broker to authenticate the > > client and establish ssl connection. but instead following error is > thrown. > > [2021-06-03 23:32:06,864] ERROR [AdminClient clientId=adminclient-1] > > Connection to node -1 (abc.com/10.129.140.212:9093) failed > authentication > > due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient) > > [2021-06-03 23:32:06,866] WARN [AdminClient clientId=adminclient-1] > > Metadata update failed due to authentication error > > (org.apache.kafka.clients.admin.internals.AdminMetadataManager) > > org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake > > failed > > Caused by: javax.net.ssl.SSLProtocolException: Unexpected handshake > > message: server_hello > > > > I tried various things but nothing seems to work. when i replace the > broker > > truststore with /etc/pki/java/cacerts truststore file which contains only > > the CA certificate > > then it works fine. but it will authenticate any client which has > > certificate issued by the CA. > > > > what could be the issue ? > > >
