Generating and Replacing a Certificate
When connecting a Kafka client to a Kafka instance that has SASL enabled, use either the certificate provided by DMS for Kafka or your own certificate. This section describes how to generate your own certificate and use it to replace the one provided by DMS for Kafka.
To generate and replace certificates, contact background support personnel to enable the function for you. This function is available on a whitelist basis in all regions.
Replacing the certificate will restart the instance. Exercise caution.
Prerequisites
- A Linux server is available.
- Kafka SASL_SSL has been enabled for the instance.
Step 1: Generating a Certificate
- Log in to the Linux server and run the following command to generate a keystore for the server.keystore.jks certificate:
keytool -genkey -keystore server.keystore.jks -alias localhost -validity 3650 -keyalg RSA
Enter a keystore password as prompted. The password must meet the following requirements:
- Contains 8 to 32 characters.
- Contains at least three of the following character types: letters, digits, spaces, and special characters `-!@#$ %^&*()-_=+\|[{}]:'",<.>/? and does not start with a hyphen (-).
- Cannot be a weak password. To check whether a password is weak, enter it in 6.
Enter the information about the certificate owner as prompted, such as the name, company, and city.
- Run the following command to generate a CA:
openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650
Enter a PEM password as prompted.
Enter the information about the certificate owner as prompted.
- The certificate validity can be checked only after a truststore certificate is created. Run the following command to create a server truststore certificate with the generated CA:
keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert
Enter the server truststore password as prompted. The password must meet the following requirements:
- Contains 8 to 32 characters.
- Contains at least three of the following character types: letters, digits, spaces, and special characters `-!@#$ %^&*()-_=+\|[{}]:'",<.>/? and does not start with a hyphen (-).
- Cannot be a weak password. To check whether a password is weak, enter it in 6.
Enter y when the following information is displayed:Trust this certificate?
- Run the following command to create a client truststore certificate with the CA:
keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert
Enter the client truststore password as prompted. This password is the value of ssl.truststore.password in the configuration file used by the client to connect to the Kafka instance.
Enter y when the following information is displayed:Trust this certificate?
- Sign the server certificate.
- Export the server certificate server.cert-file.
keytool -keystore server.keystore.jks -alias localhost -certreq -file server.cert-file
Enter the keystore password set in 1 as prompted.
- Sign the server certificate with the CA.
openssl x509 -req -CA ca-cert -CAkey ca-key -in server.cert-file -out server.cert-signed -days 3650 -CAcreateserial
Enter the PEM password set in 2 as prompted.
- Import the CA certificate to the server keystore.
keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert
Enter the keystore password set in 1 as prompted.
Enter y when the following information is displayed:Trust this certificate?
- Import the signed server certificate to the server keystore.
keytool -keystore server.keystore.jks -alias localhost -import -file server.cert-signed
Enter the keystore password set in 1 as prompted.
- Export the server certificate server.cert-file.
- Export the server.keystore.jks and server.truststore.jks certificates to the local PC.
Figure 1 Certificate directory
Step 2: Replacing a Certificate
- Log in to the management console.
- Click in the upper left corner to select a region.
Select the same region as your application service.
- Click and choose Application > Distributed Message Service for Kafka to open the console of DMS for Kafka.
- Click the desired instance to view its details.
- In the Connection area, click Re-upload next to SSL Certificate.
Figure 2 Connection information
- Set the parameters for replacing the SSL certificate by referring to Table 1.
Figure 3 Replacing the SSL certificate
Table 1 Parameters for replacing the SSL certificate Parameter
Description
Key Password
Enter the keystore password set in 1.
Keystore Password
Enter the keystore password set in 1.
Keystore File
Import the server.keystore.jks certificate.
Truststore Password
Enter the server truststore password set in 3.
Truststore File
Import the server.truststore.jks certificate.
- Click OK.
- Click OK.
On the Background Tasks page, if the certificate replacement task is Successful, the certificate is successfully replaced.
After the original certificate is successfully replaced, you will download the certificate provided by DMS for Kafka rather than your own certificate by clicking Download on the Basic Information tab page.
Step 3: Modifying Client Configuration Files
After a certificate is replaced, modify the ssl.truststore.location and ssl.truststore.password parameters in the consumer.properties and producer.properties files on the client, respectively.
security.protocol=SASL_SSL ssl.truststore.location=/opt/kafka_2.12-2.7.2/config/client.truststore.jks ssl.truststore.password=dms@kafka ssl.endpoint.identification.algorithm=
- ssl.truststore.location: path for storing the client.truststore.jks certificate.
- ssl.truststore.password: truststore password of the client certificate
- ssl.endpoint.identification.algorithm: whether to verify the certificate domain name. This parameter must be left blank, which indicates disabling domain name verification.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot