Generating and Replacing a Certificate

When connecting a Kafka client to a Kafka instance that has SASL enabled, use either the certificate provided by DMS for Kafka or your own certificate. This section describes how to generate your own certificate and use it to replace the one provided by DMS for Kafka.

To generate and replace certificates, contact background support personnel to enable the function for you. This function is available on a whitelist basis in all regions.

Replacing the certificate will restart the instance. Exercise caution.

Prerequisites

A Linux server is available.
Kafka SASL_SSL has been enabled for the instance.

Step 1: Generating a Certificate

Log in to the Linux server and run the following command to generate a keystore for the server.keystore.jks certificate:
```
keytool -genkey -keystore server.keystore.jks -alias localhost -validity 3650 -keyalg RSA
```
Enter a keystore password as prompted. The password must meet the following requirements:
- Contains 8 to 32 characters.
- Contains at least three of the following character types: letters, digits, spaces, and special characters `-!@#$ %^&*()-_=+\|[{}]:'",<.>/? and does not start with a hyphen (-).
- Cannot be a weak password. To check whether a password is weak, enter it in 6.
Enter the information about the certificate owner as prompted, such as the name, company, and city.
Run the following command to generate a CA:
```
openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650
```
Enter a PEM password as prompted.

Enter the information about the certificate owner as prompted.
The certificate validity can be checked only after a truststore certificate is created. Run the following command to create a server truststore certificate with the generated CA:
```
keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert
```
Enter the server truststore password as prompted. The password must meet the following requirements:
- Contains 8 to 32 characters.
- Contains at least three of the following character types: letters, digits, spaces, and special characters `-!@#$ %^&*()-_=+\|[{}]:'",<.>/? and does not start with a hyphen (-).
- Cannot be a weak password. To check whether a password is weak, enter it in 6.
Enter y when the following information is displayed:
```
Trust this certificate?
```
Run the following command to create a client truststore certificate with the CA:
```
keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert
```
Enter the client truststore password as prompted. This password is the value of ssl.truststore.password in the configuration file used by the client to connect to the Kafka instance.
Enter y when the following information is displayed:
```
Trust this certificate?
```
Sign the server certificate.
1. Export the server certificate server.cert-file.
```
keytool -keystore server.keystore.jks -alias localhost -certreq -file server.cert-file
```
  Enter the keystore password set in 1 as prompted.
2. Sign the server certificate with the CA.
```
openssl x509 -req -CA ca-cert -CAkey ca-key -in server.cert-file -out server.cert-signed -days 3650 -CAcreateserial
```
  Enter the PEM password set in 2 as prompted.
3. Import the CA certificate to the server keystore.
```
keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert
```
  Enter the keystore password set in 1 as prompted.
  Enter y when the following information is displayed:
```
Trust this certificate?
```
4. Import the signed server certificate to the server keystore.
```
keytool -keystore server.keystore.jks -alias localhost -import -file server.cert-signed
```
  Enter the keystore password set in 1 as prompted.
Export the server.keystore.jks and server.truststore.jks certificates to the local PC.

Figure 1 Certificate directory

Step 2: Replacing a Certificate

Log in to the management console.
Click in the upper left corner to select a region.

Select the same region as your application service.
Click and choose Application > Distributed Message Service for Kafka to open the console of DMS for Kafka.
Click the desired instance to view its details.
In the Connection area, click Re-upload next to SSL Certificate.

Figure 2 Connection information

Set the parameters for replacing the SSL certificate by referring to Table 1.

Figure 3 Replacing the SSL certificate
Click to enlarge

**Table 1** Parameters for replacing the SSL certificate
Parameter	Description
Key Password	Enter the keystore password set in 1.
Keystore Password	Enter the keystore password set in 1.
Keystore File	Import the server.keystore.jks certificate.
Truststore Password	Enter the server truststore password set in 3.
Truststore File	Import the server.truststore.jks certificate.

Click OK.
Click OK.

On the Background Tasks page, if the certificate replacement task is Successful, the certificate is successfully replaced.

After the original certificate is successfully replaced, you will download the certificate provided by DMS for Kafka rather than your own certificate by clicking Download on the Basic Information tab page.

Step 3: Modifying Client Configuration Files

After a certificate is replaced, modify the ssl.truststore.location and ssl.truststore.password parameters in the consumer.properties and producer.properties files on the client, respectively.

security.protocol=SASL_SSL
ssl.truststore.location=/opt/kafka_2.12-2.7.2/config/client.truststore.jks
ssl.truststore.password=dms@kafka
ssl.endpoint.identification.algorithm=

ssl.truststore.location: path for storing the client.truststore.jks certificate.
ssl.truststore.password: truststore password of the client certificate
ssl.endpoint.identification.algorithm: whether to verify the certificate domain name. This parameter must be left blank, which indicates disabling domain name verification.