Thanks for this but we are trying to do this on command line but getting
this bad certificate error
On Thu, Jun 24, 2021, 17:52 Shilin Wu <s...@confluent.io.invalid> wrote:
> you may do openssl s_client -connect kafkahost:port to dump the cert.
>
> See if the cert makes sense.
>
> To test if your SSL works, you may try use this java program to test if you
> have SSL trust issue - if it connects ok, the cert trust is mostly to be
> okay. (remember to change your host name in code, and jks path in command
> line options.
>
>
> java -Djavax.net.ssl.trustStore=truststore.jks
> -Djavax.net.ssl.trustStorePassword=changeme Test
>
> import java.net.*;
>
> import java.io.*;
>
> import javax.net.ssl.*;
>
>
> /*
>
> * This example demostrates how to use a SSLSocket as client to
>
> * send a HTTP request and get response from an HTTPS server.
>
> * It assumes that the client is not behind a firewall
>
> */
>
>
> public class Test {
>
>
> public static void main(String[] args) throws Exception {
>
> try {
>
> SSLSocketFactory factory =
>
> (SSLSocketFactory)SSLSocketFactory.getDefault();
>
> SSLSocket socket =
>
> (SSLSocket)factory.createSocket("cp-kafka1", 9093);
>
>
> /*
>
> * send http request
>
> *
>
> * Before any application data is sent or received, the
>
> * SSL socket will do SSL handshaking first to set up
>
> * the security attributes.
>
> *
>
> * SSL handshaking can be initiated by either flushing data
>
> * down the pipe, or by starting the handshaking by hand.
>
> *
>
> * Handshaking is started manually in this example because
>
> * PrintWriter catches all IOExceptions (including
>
> * SSLExceptions), sets an internal error flag, and then
>
> * returns without rethrowing the exception.
>
> *
>
> * Unfortunately, this means any error messages are lost,
>
> * which caused lots of confusion for others using this
>
> * code. The only way to tell there was an error is to call
>
> * PrintWriter.checkError().
>
> */
>
> socket.startHandshake();
>
>
> socket.close();
>
>
> } catch (Exception e) {
>
> e.printStackTrace();
>
> }
>
> }
>
> }
>
> [image: Confluent] <https://www.confluent.io>
> Wu Shilin
> Solution Architect
> +6581007012
> Follow us: [image: Blog]
> <
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> >[image:
> Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> <https://www.linkedin.com/company/confluent/>[image: Slack]
> <https://slackpass.io/confluentcommunity>[image: YouTube]
> <https://youtube.com/confluent>
> [image: Kafka Summit] <https://www.kafka-summit.org/>
>
>
> On Thu, Jun 24, 2021 at 8:17 PM Anjali Sharma <
> sharma.anjali.2...@gmail.com>
> wrote:
>
> > Had added those configuration but still seeing only junk certificates
> from
> > client side ? Any idea how to solve?
> >
> >
> > Thanks
> > Anjali
> >
> > On Thu, Jun 24, 2021, 17:44 Shilin Wu <s...@confluent.io.invalid> wrote:
> >
> > > ssl.truststore.location=/root/truststore.jks
> > >
> > > ssl.truststore.type=JKS
> > >
> > > ssl.truststore.password=changeme
> > >
> > > ssl.keystore.location=/root/alice.jks
> > >
> > > ssl.keystore.type=JKS
> > >
> > > ssl.keystore.password=changeme
> > >
> > > security.protocol=SSL
> > >
> > > bootstrap.server=cp-kafka1:9093
> > >
> > > ssl.endpoint.identification.algorithm=https
> > >
> > > This worked for me pretty well.
> > >
> > > Of course you need to generate those certs from open ssl.
> > >
> > > The trust store only contains the CA cert, the key store contains the
> > > keypair for alice (the user here).
> > >
> > >
> > > [image: Confluent] <https://www.confluent.io>
> > > Wu Shilin
> > > Solution Architect
> > > +6581007012
> > > Follow us: [image: Blog]
> > > <
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > >[image:
> > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > <https://youtube.com/confluent>
> > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > >
> > >
> > > On Thu, Jun 24, 2021 at 11:38 AM Anjali Sharma <
> > > sharma.anjali.2...@gmail.com>
> > > wrote:
> > >
> > > > Thanks for this info can you please share what all needs to be
> present
> > on
> > > > the client side for mtls as in what all configuration are needed that
> > > side?
> > > >
> > > > Thanks
> > > >
> > > > On Thu, Jun 24, 2021, 07:51 Shilin Wu <s...@confluent.io.invalid>
> > wrote:
> > > >
> > > > > A few things to check:
> > > > >
> > > > > 1. Client trust store need to trust the server cert's issuer cert
> > (AKA
> > > > the
> > > > > CA cert)
> > > > > 2. The client must have a keystore that can be trusted by server's
> > > trust
> > > > > store.
> > > > > 3. The server needs to be accessed either via FQDN, or one of the
> SAN
> > > > > address. If you are doing self sign, you can add many DNS alias and
> > > even
> > > > ip
> > > > > addresses to the server's cert.
> > > > > 4. Make sure the server cert has extended key usage of serverAuth,
> > > client
> > > > > cert has extended key usage of clientAuth. Actually you can have
> > both -
> > > > if
> > > > > you are generating yourself.
> > > > >
> > > > >
> > > > >
> > > > > [image: Confluent] <https://www.confluent.io>
> > > > > Wu Shilin
> > > > > Solution Architect
> > > > > +6581007012
> > > > > Follow us: [image: Blog]
> > > > > <
> > > > >
> > > >
> > >
> >
> https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog
> > > > > >[image:
> > > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn]
> > > > > <https://www.linkedin.com/company/confluent/>[image: Slack]
> > > > > <https://slackpass.io/confluentcommunity>[image: YouTube]
> > > > > <https://youtube.com/confluent>
> > > > > [image: Kafka Summit] <https://www.kafka-summit.org/>
> > > > >
> > > > >
> > > > > On Thu, Jun 24, 2021 at 12:37 AM Anjali Sharma <
> > > > > sharma.anjali.2...@gmail.com>
> > > > > wrote:
> > > > >
> > > > > > Hi All,
> > > > > >
> > > > > > While trying for mtls ssl.client.aut=required, From Client side
> we
> > > are
> > > > > > seeing some junk certificates which we have not imported on the
> > > client
> > > > > > side?
> > > > > >
> > > > > > Please help with this?
> > > > > >
> > > > > > Thanks & Regards
> > > > > >
> > > > > > Anjali
> > > > > >
> > > > >
> > > >
> > >
> >
>
