Discussion:
How to provide certificate chain/intermediate CA to kafka broker
Fang Xing
2018-11-09 14:18:00 UTC
Permalink
Hello,

I'm looking for some instructions about setting SSL in Kafka with
certificate chains. There is instruction about settings for broker
certificate issued by a self-signed root CA, however I didn't find
information related to certificate chain.

If the chain is like this: root ca -> intermediate ca -> kafka broker
certificate/key, how to setup the keystore and truststore to include
intermediate ca's certificate? Should it be put into keystore or truststore
in what format?

Thanks! Fang
Rohan Rasane
2018-11-09 17:57:21 UTC
Permalink
Hi Fang,
You will need to create a CSR using the Private Key, then get that CSR
signed by your Certs team which should be able to add the root and
intermediate certs in the signed certs. Then you will have to add them to
your stores on the host.

Let me know if you have any specific questions.

-Rohan
Post by Fang Xing
Hello,
I'm looking for some instructions about setting SSL in Kafka with
certificate chains. There is instruction about settings for broker
certificate issued by a self-signed root CA, however I didn't find
information related to certificate chain.
If the chain is like this: root ca -> intermediate ca -> kafka broker
certificate/key, how to setup the keystore and truststore to include
intermediate ca's certificate? Should it be put into keystore or truststore
in what format?
Thanks! Fang
Fang Xing
2018-11-09 19:15:13 UTC
Permalink
Hi Rohan,

Thanks for the quick response. I do have some troubles with providing
certificate chain to brokers... This is how I set up keystore and
truststore and provide them in server.properties

1. generate pkcs12 file for broker key/cert and cert chain
kafka-key is broker's private key
cert-signed is broker's cert signed by intermediate CA, which is signed by
a self-signed root CA
bundle-cert is concatenation of brokers's cert(cert-signed), intermediate
CA's cert(ca1-cert) and root CA's(caroot-cert) cert

openssl pkcs12 -export -inkey kafka-key -in cert-signed -out
bundle-cert.pkcs12 -password pass:123456 -chain -CAfile bundle-cert

2. import pkcs12 file to broker's keystore

keytool -importkeystore -srckeystore bundle-cert.pkcs12 -srcstoretype
PKCS12 -destkeystore kafka.server.keystore.jks -deststorepass 123456
-srcstorepass 123456 -noprompt

3. import root CA's certificate to broker's trust store

keytool -keystore kafka.server.truststore.jks -alias caroot -import -file
caroot-cert -storepass 123456 -noprompt

4. Provide them in server.properties

After the above 4 steps, brokers(I have 4 brokers) do not communicate with
each other, unless intermediate CA's cert is added to broker's truststore.

Then I use kafkacat try to produce data through SSL, and always errors out
no matter root CA's cert or intermediate CA's cert is provided, kafkacat's
cert is signed with intermediate CA's cert in this case. It looks like
there is problem with verifying the chain set in brokers.

[12:47:33][***@ip-10-0-32-125:]$ kafkacat -P -X
metadata.broker.list=hostname -X ssl.ca.location=ca1-cert -X
security.protocol=ssl -X ssl.certificate.location=kafkacat.pem -X
ssl.key.location=kafkacat.key -X ssl.key.password=123456 -b hostname:9093
-t topic_name -p 0 m-1.dat
%3|1541785738.749|FAIL|rdkafka#producer-1| [thrd:ssl://
10.0.32.125:9093/bootstrap]: ssl://10.0.32.125:9093/bootstrap: Failed to
verify broker certificate: self signed certificate in certificate chain
% ERROR: Local: SSL error: ssl://10.0.32.125:9093/bootstrap: Failed to
verify broker certificate: self signed certificate in certificate chain
% ERROR: Local: All broker connections are down: 1/1 brokers are down:
terminating
[12:48:58][***@ip-10-0-32-125:]$ kafkacat -P -X
metadata.broker.list=hostname -X ssl.ca.location=caroot-cert -X
security.protocol=ssl -X ssl.certificate.location=kafkacat.pem -X
ssl.key.location=kafkacat.key -X ssl.key.password=123456 -b hostname:9093
-t topic_name -p 0 m-1.dat
%3|1541785747.751|FAIL|rdkafka#producer-1| [thrd:ssl://
10.0.32.125:9093/bootstrap]: ssl://10.0.32.125:9093/bootstrap: Failed to
verify broker certificate: invalid CA certificate
% ERROR: Local: SSL error: ssl://10.0.32.125:9093/bootstrap: Failed to
verify broker certificate: invalid CA certificate
% ERROR: Local: All broker connections are down: 1/1 brokers are down:
terminating

Any clue what is going wrong?

Thanks! Fang
Post by Rohan Rasane
Hi Fang,
You will need to create a CSR using the Private Key, then get that CSR
signed by your Certs team which should be able to add the root and
intermediate certs in the signed certs. Then you will have to add them to
your stores on the host.
Let me know if you have any specific questions.
-Rohan
Post by Fang Xing
Hello,
I'm looking for some instructions about setting SSL in Kafka with
certificate chains. There is instruction about settings for broker
certificate issued by a self-signed root CA, however I didn't find
information related to certificate chain.
If the chain is like this: root ca -> intermediate ca -> kafka broker
certificate/key, how to setup the keystore and truststore to include
intermediate ca's certificate? Should it be put into keystore or
truststore
Post by Fang Xing
in what format?
Thanks! Fang
--
Regards, Fang
Martin Gainty
2018-11-10 02:40:15 UTC
Permalink
if you dont have a "certs team" you can purchase a Contract with Certificate Authority such as Verisign
to handle signing X509 certs
Once the certs are signed and stuffed into truststore(s)
you will then be able to supply the x509 cert with public key from CA to your clients
Martin
________________________________
From: Rohan Rasane <***@gmail.com>
Sent: Friday, November 9, 2018 12:57 PM
To: ***@kafka.apache.org
Subject: Re: How to provide certificate chain/intermediate CA to kafka broker

Hi Fang,
You will need to create a CSR using the Private Key, then get that CSR
signed by your Certs team which should be able to add the root and
intermediate certs in the signed certs. Then you will have to add them to
your stores on the host.

Let me know if you have any specific questions.

-Rohan
Post by Fang Xing
Hello,
I'm looking for some instructions about setting SSL in Kafka with
certificate chains. There is instruction about settings for broker
certificate issued by a self-signed root CA, however I didn't find
information related to certificate chain.
If the chain is like this: root ca -> intermediate ca -> kafka broker
certificate/key, how to setup the keystore and truststore to include
intermediate ca's certificate? Should it be put into keystore or truststore
in what format?
Thanks! Fang
Loading...