You need to make sure the following one by one... Or you can post the message of error here so we can see exact error.
> > > > > 1. Client trust store need to trust the server cert's issuer cert > > (AKA > > > > the > > > > > CA cert) > > > > > 2. The client must have a keystore that can be trusted by server's > > > trust > > > > > store. > > > > > 3. The server needs to be accessed either via FQDN, or one of the > SAN > > > > > address. If you are doing self sign, you can add many DNS alias and > > > even > > > > ip > > > > > addresses to the server's cert. > > > > > 4. Make sure the server cert has extended key usage of serverAuth, > > > client > > > > > cert has extended key usage of clientAuth. Actually you can have > > both - > > > > if > > > > > you are generating yourself. [image: Confluent] <https://www.confluent.io> Wu Shilin Solution Architect +6581007012 Follow us: [image: Blog] <https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog>[image: Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn] <https://www.linkedin.com/company/confluent/>[image: Slack] <https://slackpass.io/confluentcommunity>[image: YouTube] <https://youtube.com/confluent> [image: Kafka Summit] <https://www.kafka-summit.org/> On Thu, Jun 24, 2021 at 8:26 PM Anjali Sharma <sharma.anjali.2...@gmail.com> wrote: > Thanks for this but we are trying to do this on command line but getting > this bad certificate error > > On Thu, Jun 24, 2021, 17:52 Shilin Wu <s...@confluent.io.invalid> wrote: > > > you may do openssl s_client -connect kafkahost:port to dump the cert. > > > > See if the cert makes sense. > > > > To test if your SSL works, you may try use this java program to test if > you > > have SSL trust issue - if it connects ok, the cert trust is mostly to be > > okay. (remember to change your host name in code, and jks path in command > > line options. > > > > > > java -Djavax.net.ssl.trustStore=truststore.jks > > -Djavax.net.ssl.trustStorePassword=changeme Test > > > > import java.net.*; > > > > import java.io.*; > > > > import javax.net.ssl.*; > > > > > > /* > > > > * This example demostrates how to use a SSLSocket as client to > > > > * send a HTTP request and get response from an HTTPS server. > > > > * It assumes that the client is not behind a firewall > > > > */ > > > > > > public class Test { > > > > > > public static void main(String[] args) throws Exception { > > > > try { > > > > SSLSocketFactory factory = > > > > (SSLSocketFactory)SSLSocketFactory.getDefault(); > > > > SSLSocket socket = > > > > (SSLSocket)factory.createSocket("cp-kafka1", 9093); > > > > > > /* > > > > * send http request > > > > * > > > > * Before any application data is sent or received, the > > > > * SSL socket will do SSL handshaking first to set up > > > > * the security attributes. > > > > * > > > > * SSL handshaking can be initiated by either flushing data > > > > * down the pipe, or by starting the handshaking by hand. > > > > * > > > > * Handshaking is started manually in this example because > > > > * PrintWriter catches all IOExceptions (including > > > > * SSLExceptions), sets an internal error flag, and then > > > > * returns without rethrowing the exception. > > > > * > > > > * Unfortunately, this means any error messages are lost, > > > > * which caused lots of confusion for others using this > > > > * code. The only way to tell there was an error is to call > > > > * PrintWriter.checkError(). > > > > */ > > > > socket.startHandshake(); > > > > > > socket.close(); > > > > > > } catch (Exception e) { > > > > e.printStackTrace(); > > > > } > > > > } > > > > } > > > > [image: Confluent] <https://www.confluent.io> > > Wu Shilin > > Solution Architect > > +6581007012 > > Follow us: [image: Blog] > > < > > > https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog > > >[image: > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn] > > <https://www.linkedin.com/company/confluent/>[image: Slack] > > <https://slackpass.io/confluentcommunity>[image: YouTube] > > <https://youtube.com/confluent> > > [image: Kafka Summit] <https://www.kafka-summit.org/> > > > > > > On Thu, Jun 24, 2021 at 8:17 PM Anjali Sharma < > > sharma.anjali.2...@gmail.com> > > wrote: > > > > > Had added those configuration but still seeing only junk certificates > > from > > > client side ? Any idea how to solve? > > > > > > > > > Thanks > > > Anjali > > > > > > On Thu, Jun 24, 2021, 17:44 Shilin Wu <s...@confluent.io.invalid> > wrote: > > > > > > > ssl.truststore.location=/root/truststore.jks > > > > > > > > ssl.truststore.type=JKS > > > > > > > > ssl.truststore.password=changeme > > > > > > > > ssl.keystore.location=/root/alice.jks > > > > > > > > ssl.keystore.type=JKS > > > > > > > > ssl.keystore.password=changeme > > > > > > > > security.protocol=SSL > > > > > > > > bootstrap.server=cp-kafka1:9093 > > > > > > > > ssl.endpoint.identification.algorithm=https > > > > > > > > This worked for me pretty well. > > > > > > > > Of course you need to generate those certs from open ssl. > > > > > > > > The trust store only contains the CA cert, the key store contains the > > > > keypair for alice (the user here). > > > > > > > > > > > > [image: Confluent] <https://www.confluent.io> > > > > Wu Shilin > > > > Solution Architect > > > > +6581007012 > > > > Follow us: [image: Blog] > > > > < > > > > > > > > > > https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog > > > > >[image: > > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn] > > > > <https://www.linkedin.com/company/confluent/>[image: Slack] > > > > <https://slackpass.io/confluentcommunity>[image: YouTube] > > > > <https://youtube.com/confluent> > > > > [image: Kafka Summit] <https://www.kafka-summit.org/> > > > > > > > > > > > > On Thu, Jun 24, 2021 at 11:38 AM Anjali Sharma < > > > > sharma.anjali.2...@gmail.com> > > > > wrote: > > > > > > > > > Thanks for this info can you please share what all needs to be > > present > > > on > > > > > the client side for mtls as in what all configuration are needed > that > > > > side? > > > > > > > > > > Thanks > > > > > > > > > > On Thu, Jun 24, 2021, 07:51 Shilin Wu <s...@confluent.io.invalid> > > > wrote: > > > > > > > > > > > A few things to check: > > > > > > > > > > > > 1. Client trust store need to trust the server cert's issuer cert > > > (AKA > > > > > the > > > > > > CA cert) > > > > > > 2. The client must have a keystore that can be trusted by > server's > > > > trust > > > > > > store. > > > > > > 3. The server needs to be accessed either via FQDN, or one of the > > SAN > > > > > > address. If you are doing self sign, you can add many DNS alias > and > > > > even > > > > > ip > > > > > > addresses to the server's cert. > > > > > > 4. Make sure the server cert has extended key usage of > serverAuth, > > > > client > > > > > > cert has extended key usage of clientAuth. Actually you can have > > > both - > > > > > if > > > > > > you are generating yourself. > > > > > > > > > > > > > > > > > > > > > > > > [image: Confluent] <https://www.confluent.io> > > > > > > Wu Shilin > > > > > > Solution Architect > > > > > > +6581007012 > > > > > > Follow us: [image: Blog] > > > > > > < > > > > > > > > > > > > > > > > > > > > > https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog > > > > > > >[image: > > > > > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn] > > > > > > <https://www.linkedin.com/company/confluent/>[image: Slack] > > > > > > <https://slackpass.io/confluentcommunity>[image: YouTube] > > > > > > <https://youtube.com/confluent> > > > > > > [image: Kafka Summit] <https://www.kafka-summit.org/> > > > > > > > > > > > > > > > > > > On Thu, Jun 24, 2021 at 12:37 AM Anjali Sharma < > > > > > > sharma.anjali.2...@gmail.com> > > > > > > wrote: > > > > > > > > > > > > > Hi All, > > > > > > > > > > > > > > While trying for mtls ssl.client.aut=required, From Client side > > we > > > > are > > > > > > > seeing some junk certificates which we have not imported on the > > > > client > > > > > > > side? > > > > > > > > > > > > > > Please help with this? > > > > > > > > > > > > > > Thanks & Regards > > > > > > > > > > > > > > Anjali > > > > > > > > > > > > > > > > > > > > > > > > > > > >
