Ninja Docs Help

Kafka - generating certificate

Revision

Date

Description

1.0

24.07.2024

Init Changelog

Instructions

  1. Run command below in directory /opt/kafka_*/ssl/:

    keytool -genkey -keystore kafka.server.keystore.jks -validity 365000 -storetype pkcs12 -keyalg RSA

  2. During certificate generating we need to set options below:

    What is your first and last name? [Unknown]: NODE_NAME What is the name of your organizational unit? [Unknown]: ORGANIZATION_UNIT What is the name of your organization? [Unknown]: ORGANIZATION_NAME What is the name of your City or Locality? [Unknown]: ORGANIZATION_CITY What is the name of your State or Province? [Unknown]: ORGANIZATION_STATE What is the two-letter country code for this unit? [Unknown]: ORGANIZATION_COUNTRY_CODE Is CN=NODE_NAME, OU=ORGANIZATION_UNIT, O=ORGANIZATION_NAME, L=ORGANIZATION_CITY, ST=ORGANIZATION_STATE, C=ORGANIZATION_COUNTRY_CODE correct? [no]: yes

    Where:

    • NODE_NAME - Kafka node hostname.

    • ORGANIZATION_UNIT - unit of organization for certificate.

    • ORGANIZATION_NAME - name of organization.

    • ORGANIZATION_CITY - city name where organization has its headquarter.

    • ORGANIZATION_STATE - state or province in organization country where it has its headquarter.

    • ORGANIZATION_COUNTRY_CODE - organization origins country code, eg. Poland is PL.

  3. Generate CSR:

    keytool -list -v -keystore kafka.server.keystore.jks keytool -keystore kafka.server.keystore.jks -certreq -file NODE_NAME

  4. Copy generated CSR into home dir and download on your local machine:

    cp CSR_FILE_NAME ~/ scp USERNAME@HOSTNAME:CSR_FILE_PATH DEST_PATH

    Where:

    • CSR_FILE_NAME - file name of generated CSR.

    • USERNAME - your username on host.

    • HOSTNAME - name of host.

    • CSR_FILE_PATH - absolute path of generated CSR located on host.

    • DEST_PATH - destination path on your local machine.

  5. Sign certificate:

    openssl x509 -req -CA ca-cert -CAkey ca-key -in CSR_FILE -out OUTPUT_FILE -days 365000 -CAcreateserial -passin pass: PASSWORD

    Where:

    • CSR_FILE - generated CSR file name (or path).

    • OUTPUT_FILE - output file name (or path).

    • PASSWORD - password.

  6. Copy ca-cert with signed certificate on host and move it to /opt/kafka_*/ssl/ and run:

    keytool -keystore kafka.server.keystore.jks -alias CARoot -import -file ca-cert keytool -keystore kafka.server.keystore.jks -import -file SIGNED_CERTIFICATE

  7. Create kafka.server/client.truststore.jks:

    keytool -keystore kafka.server.truststore.jks -alias CARoot -import -file ca-cert keytool -keystore kafka.client.truststore.jks -alias CARoot -import -file ca-cert

  8. Add proper ownership for all files in directory /opt/kafka_*/ssl/:

    chown -R kafka:kafka /opt/kafka_*/ssl/*

  9. Edit server.properties:

    vim server.properties vim kafka_server_jaas.conf

  10. Create service, edit script kafka-server-start.sh and run Kafka:

cd /etc/systemd/system vim kafka.service cd /opt/kafka_*/bin/ vim kafka-server-start.sh systemctl enable kafka service kafka start service kafka status ./zookeeper-shell.sh localhost:2181 ls /brokers/ids
Last modified: 17 February 2025
Kafka Schema RegistryReassignment Kafka topics on new nodes