Help Center/
Distributed Message Service for Kafka/
User Guide/
Connecting to an Instance/
Configuring Kafka Access Control/
Converting a JKS SSL Certificate to a PEM One
Updated on 2024-10-25 GMT+08:00
Converting a JKS SSL Certificate to a PEM One
This section describes how to convert an SSL certificate from the JKS format to the PEM format.
Prerequisites
- A Linux server is available. The server must install Java Development Kit 1.8.111 or later and JAVA_HOME and PATH environment variables are configured.
- Kafka SASL_SSL has been enabled for the instance.
Generating a PEM SSL Certificate
- Log in to the console.
- Click
in the upper left corner to select a region.
Select the region where your Kafka instance is in.
- Click
and choose Middleware > Distributed Message Service (for Kafka) to open the console of DMS for Kafka. - Click a Kafka instance name to go to the instance details page.
- Click Download next to Connection > SSL Certificate.
- Decompress the Zip package to obtain the JKS SSL certificate.
- Log in to the Linux server and upload the JKS SSL certificate to it.
- Run the following command to convert the certificate from JKS to the PKCS12 format:
keytool -importkeystore -srckeystore client.jks -destkeystore client.p12 -deststoretype PKCS12
- Enter a PKCS12 certificate password when Enter destination keystore password is prompted. Remember the password for later use.
- Enter a JKS certificate password when Enter source keystore password is prompted. Here, enter dms@kafka.
Example:
[root@ecs-test ~]# keytool -importkeystore -srckeystore client.jks -destkeystore client.p12 -deststoretype PKCS12 Importing keystore client.jks to client.p12... Enter destination keystore password: Re-enter new password: Enter source keystore password: Entry for alias clientpublickey successfully imported. Entry for alias huaweiequipmentrootca successfully imported. Entry for alias huaweicloudca successfully imported. Import command completed: 3 entries successfully imported, 0 entries failed or cancelled
- Run the following command to check the generated PKCS12 certificate client.p12:
ll
Example:
[root@ecs-test ~]# ll -rw-r--r-- 1 root root 3561 Jun 20 17:06 client.jks -rw-r--r-- 1 root root 4023 Oct 10 20:06 client.p12
- Run the following command to convert the certificate format from PKCS12 to PEM.
openssl pkcs12 -in client.p12 -out client.pem
Enter the PKCS12 certificate password set in 8.a as prompted.
Example:
[root@ecs-test ~]# openssl pkcs12 -in client.p12 -out client.pem Enter Import Password:
- Run the following command to check the generated PEM certificate client.pem.
ll
Example:
[root@ecs-test ~]# ll -rw-r--r-- 1 root root 3561 Jun 20 17:06 client.jks -rw-r--r-- 1 root root 4023 Oct 10 20:06 client.p12 -rw------- 1 root root 5384 Oct 10 20:24 client.pem
Accessing a Kafka Instance Using a PEM Certificate
The following section demonstrates how to access a Kafka instance using a PEM certificate on a Java client.
Access a Kafka instance to produce and consume messages by referring to Configuring Kafka Clients in Java. Modify the SASL setting of the message production and consumption configuration files as follows:
# If the SASL mechanism is PLAIN, configure as follows: sasl.mechanism=PLAIN sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \ username="username" \ password="password"; # If the SASL mechanism is SCRAM-SHA-512, configure as follows: sasl.mechanism=SCRAM-SHA-512 sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \ username="username" \ password="password"; #Set the Kafka security protocol. security.protocol=SASL_SSL # ssl truststore.location is the path for storing the SSL certificate. The following code uses the path format in Windows as an example. Change the path format based on the actual running environment. ssl.truststore.location=E:\\temp\\client.pem # ssl.truststore.password is the server certificate password. To access a Kafka instance using a PEM certificate, skip this parameter. #ssl.truststore.password=dms@kafka # ssl.endpoint.identification.algorithm indicates whether to verify the certificate domain name. This parameter must be left blank, which indicates disabling domain name verification. ssl.endpoint.identification.algorithm= # Add the ssl.truststore.type parameter to specify the client certificate type to PEM. ssl.truststore.type=PEM
Parent topic: Configuring Kafka Access Control
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot
