Skip to content

Instantly share code, notes, and snippets.

@DennisFederico

DennisFederico/CustomCertsForConfluent.md

Created May 31, 2023 15:12
Show Gist options
  • Save DennisFederico/b36c0c47d4b76268229a4d81eb6eedbe to your computer and use it in GitHub Desktop.
Save DennisFederico/b36c0c47d4b76268229a4d81eb6eedbe to your computer and use it in GitHub Desktop.
Download ZIP
Collection of commands to create custom certs for Confluent Platform
Raw
CustomCertsForConfluent.md

Self-signed Certificates

This were prepared using cfssl (Cloud Flare SSL) tools, a wrapper over openssl to simplify its usage, thus opensslmust be installed too.

Prepare CA - Certificate Authority

Create CA Key

$ openssl genrsa -out generated/CAkey.pem 2048

Generate CA Certificate

openssl req -x509 -new -nodes \
  -key generated/CAkey.pem \
  -days 365 \
  -out generated/CAcert.pem \
  -subj "/C=ES/ST=VLC/L=VLC/O=Demo/OU=GCP/CN=DennisCA"

Prepare Servers Certificates

For this kind of cluster we will prepare a single certificate for all the services, thus the configuration will contain all the IP's (public & private), as well as the names (hostname and domain if available).

Install CFSSL

$ sudo apt install golang-cfssl

Create CFSSL Profiles

A simple file with the usages for a certificate profile -- cert-req-conf.json

{
    "signing": {
        "default": {
            "expiry": "43800h"
        },
        "profiles": {
            "server": {
                "expiry": "43800h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            },
            "client": {
                "expiry": "43800h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            }
        }
    }
}

Create Server Request

A file with the CN and other configuration for the certificate

{
  "CN": "kafka.azimut.gce",
  "hosts": [
    "zk-0.demo.dfederico",
    "broker-0.demo.dfederico",
    "broker-1.demo.dfederico",
    "broker-2.demo.dfederico",
    "sr-0.demo.dfederico",
    "c3-0.demo.dfederico",
    "35.205.87.147",
    "prometheus-0.demo.dfederico",
    "grafana-0.demo.dfederico",
    "34.76.68.49"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "Universe",
      "ST": "Pangea",
      "L": "Earth"
    }
  ]
}

Generate the Server Certificate

$ cfssl gencert -ca=generated/CAcert.pem \
    -ca-key=generated/CAkey.pem \
    -config=cert-req-conf.json \
    -profile=server server-cert-req.json \
    | cfssljson -bare generated/server

Generate Client Certificate

$ cfssl gencert -ca=CAcert.pem \
    -ca-key=generated/CAkey.pem \
    -config=cert-req-conf.json \
    -profile=client user-LOGIN-cert-req.json \
    | cfssljson -bare generated/users/LOGIN

Create P12 Bundle for Clients

$ openssl pkcs12 -export \
    -in generated/users/LOGIN.pem \
    -inkey generated/users/LOGIN-key.pem \
    -out generated/users/LOGIN.p12

Trustore (jks) for some connection properties

$ keytool -keystore generated/client.truststore.jks \
    -alias CARoot \
    -importcert -file generated/CAcert.pem

Note: take note of the keystore password

CHECK DN

keytool -list -keystore generated/users/dfederico.p12 \
        -storepass changeme -v \
        | grep PrivateKeyEntry -A1000 \
        | grep Owner -m1 \
        | cut -d ":" -f2 \
        | cut -c2- \
        | sed 's/\s*,\s*/,/g'

MDS Credentials

### We need to provide a key pair (private/public) for MDS to generate tokens
$ openssl genrsa -out mds-priv-key.pem 2048
$ openssl rsa -in mds-priv-key.pem -out PEM -pubout -out mds-pub-key.pem

Encrypt Private Key

### Asuming rsa, otherwise use dsa, replace -aes256 with any other algorithm 
$ openssl rsa -aes256 -in generated/server-key.pem -out generated/server-key-enc.pem

Decrypt Private Key

$ openssl rsa -in your.key -out your.open.key

Export Private Key from JKS

Its a multistep process, first a PCKS12 container must be created from the JKS extracting the record under the given "alias", the the PCKS12 gets converted to a pem file

$ keytool -importkeystore -srckeystore kafka_broker.keystore.jks -srcstorepass keystoreme -srcalias localhost -destkeystore key.p12 -deststoretype PKCS12 -deststorepass keystoreme

$ openssl pkcs12 -in key.p12 -nodes -nocerts -out private_key.pem

Note that PKCS12 does not allow different passwords for the key and the container/store

$ sudo cp local-ca.crt /usr/local/share/ca-certificates $ sudo update-ca-certificates

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment