Had added those configuration but still seeing only junk certificates from client side ? Any idea how to solve?
Thanks Anjali On Thu, Jun 24, 2021, 17:44 Shilin Wu <s...@confluent.io.invalid> wrote: > ssl.truststore.location=/root/truststore.jks > > ssl.truststore.type=JKS > > ssl.truststore.password=changeme > > ssl.keystore.location=/root/alice.jks > > ssl.keystore.type=JKS > > ssl.keystore.password=changeme > > security.protocol=SSL > > bootstrap.server=cp-kafka1:9093 > > ssl.endpoint.identification.algorithm=https > > This worked for me pretty well. > > Of course you need to generate those certs from open ssl. > > The trust store only contains the CA cert, the key store contains the > keypair for alice (the user here). > > > [image: Confluent] <https://www.confluent.io> > Wu Shilin > Solution Architect > +6581007012 > Follow us: [image: Blog] > < > https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog > >[image: > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn] > <https://www.linkedin.com/company/confluent/>[image: Slack] > <https://slackpass.io/confluentcommunity>[image: YouTube] > <https://youtube.com/confluent> > [image: Kafka Summit] <https://www.kafka-summit.org/> > > > On Thu, Jun 24, 2021 at 11:38 AM Anjali Sharma < > sharma.anjali.2...@gmail.com> > wrote: > > > Thanks for this info can you please share what all needs to be present on > > the client side for mtls as in what all configuration are needed that > side? > > > > Thanks > > > > On Thu, Jun 24, 2021, 07:51 Shilin Wu <s...@confluent.io.invalid> wrote: > > > > > A few things to check: > > > > > > 1. Client trust store need to trust the server cert's issuer cert (AKA > > the > > > CA cert) > > > 2. The client must have a keystore that can be trusted by server's > trust > > > store. > > > 3. The server needs to be accessed either via FQDN, or one of the SAN > > > address. If you are doing self sign, you can add many DNS alias and > even > > ip > > > addresses to the server's cert. > > > 4. Make sure the server cert has extended key usage of serverAuth, > client > > > cert has extended key usage of clientAuth. Actually you can have both - > > if > > > you are generating yourself. > > > > > > > > > > > > [image: Confluent] <https://www.confluent.io> > > > Wu Shilin > > > Solution Architect > > > +6581007012 > > > Follow us: [image: Blog] > > > < > > > > > > https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog > > > >[image: > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn] > > > <https://www.linkedin.com/company/confluent/>[image: Slack] > > > <https://slackpass.io/confluentcommunity>[image: YouTube] > > > <https://youtube.com/confluent> > > > [image: Kafka Summit] <https://www.kafka-summit.org/> > > > > > > > > > On Thu, Jun 24, 2021 at 12:37 AM Anjali Sharma < > > > sharma.anjali.2...@gmail.com> > > > wrote: > > > > > > > Hi All, > > > > > > > > While trying for mtls ssl.client.aut=required, From Client side we > are > > > > seeing some junk certificates which we have not imported on the > client > > > > side? > > > > > > > > Please help with this? > > > > > > > > Thanks & Regards > > > > > > > > Anjali > > > > > > > > > >
