Updated on 2024-10-25 GMT+08:00

Converting a JKS SSL Certificate to a PEM One

This section describes how to convert an SSL certificate from the JKS format to the PEM format.

Prerequisites

  • A Linux server is available. The server must install Java Development Kit 1.8.111 or later and JAVA_HOME and PATH environment variables are configured.
  • Kafka SASL_SSL has been enabled for the instance.

Generating a PEM SSL Certificate

  1. Log in to the console.
  2. Click in the upper left corner to select a region.

    Select the region where your Kafka instance is in.

  3. Click and choose Middleware > Distributed Message Service (for Kafka) to open the console of DMS for Kafka.
  4. Click a Kafka instance name to go to the instance details page.
  5. Click Download next to Connection > SSL Certificate.
  6. Decompress the Zip package to obtain the JKS SSL certificate.
  7. Log in to the Linux server and upload the JKS SSL certificate to it.
  8. Run the following command to convert the certificate from JKS to the PKCS12 format:

    keytool -importkeystore -srckeystore client.jks -destkeystore client.p12 -deststoretype PKCS12
    1. Enter a PKCS12 certificate password when Enter destination keystore password is prompted. Remember the password for later use.
    2. Enter a JKS certificate password when Enter source keystore password is prompted. Here, enter dms@kafka.

    Example:

    [root@ecs-test ~]# keytool -importkeystore -srckeystore client.jks -destkeystore client.p12 -deststoretype PKCS12
    Importing keystore client.jks to client.p12...
    Enter destination keystore password:  
    Re-enter new password: 
    Enter source keystore password:  
    Entry for alias clientpublickey successfully imported.
    Entry for alias huaweiequipmentrootca successfully imported.
    Entry for alias huaweicloudca successfully imported.
    Import command completed:  3 entries successfully imported, 0 entries failed or cancelled

  9. Run the following command to check the generated PKCS12 certificate client.p12:

    ll

    Example:

    [root@ecs-test ~]# ll
    -rw-r--r-- 1 root  root       3561 Jun 20 17:06 client.jks
    -rw-r--r-- 1 root  root       4023 Oct 10 20:06 client.p12

  10. Run the following command to convert the certificate format from PKCS12 to PEM.

    openssl pkcs12 -in client.p12 -out client.pem

    Enter the PKCS12 certificate password set in 8.a as prompted.

    Example:

    [root@ecs-test ~]# openssl pkcs12 -in client.p12 -out client.pem
    Enter Import Password:

  11. Run the following command to check the generated PEM certificate client.pem.

    ll

    Example:

    [root@ecs-test ~]# ll
    -rw-r--r-- 1 root  root       3561 Jun 20 17:06 client.jks
    -rw-r--r-- 1 root  root       4023 Oct 10 20:06 client.p12
    -rw------- 1 root  root       5384 Oct 10 20:24 client.pem

Accessing a Kafka Instance Using a PEM Certificate

The following section demonstrates how to access a Kafka instance using a PEM certificate on a Java client.

Access a Kafka instance to produce and consume messages by referring to Configuring Kafka Clients in Java. Modify the SASL setting of the message production and consumption configuration files as follows:

# If the SASL mechanism is PLAIN, configure as follows:
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
username="username" \
password="password";

# If the SASL mechanism is SCRAM-SHA-512, configure as follows:
sasl.mechanism=SCRAM-SHA-512
sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required \
username="username" \
password="password";

#Set the Kafka security protocol.
security.protocol=SASL_SSL
# ssl truststore.location is the path for storing the SSL certificate. The following code uses the path format in Windows as an example. Change the path format based on the actual running environment.
ssl.truststore.location=E:\\temp\\client.pem
# ssl.truststore.password is the server certificate password. To access a Kafka instance using a PEM certificate, skip this parameter.
#ssl.truststore.password=dms@kafka
# ssl.endpoint.identification.algorithm indicates whether to verify the certificate domain name. This parameter must be left blank, which indicates disabling domain name verification.
ssl.endpoint.identification.algorithm=
# Add the ssl.truststore.type parameter to specify the client certificate type to PEM.
ssl.truststore.type=PEM