Generating and Replacing an SSL Certificate for Kafka

The SSL certificate secures data transmission through encryption between a client and an instance.

When connecting a Kafka client to a Kafka instance that has ciphertext access enabled and SASL_SSL as the security protocol, use either the certificate provided by DMS for Kafka or your own certificate. This section describes how to generate your own certificate and use it to replace the one provided by DMS for Kafka.

To generate and replace certificates, contact background support personnel to enable the function for you. This function is available on a whitelist basis in all regions.

Replacing the certificate will restart the instance. Exercise caution.

Prerequisites

A Linux server is available. The server must install Java Development Kit 1.8.111 or later and JAVA_HOME and PATH environment variables are configured.
Kafka SASL_SSL has been enabled for the instance.

Step 1: Generating a Certificate

Log in to the Linux server and run the following command to generate a keystore for the server.keystore.jks certificate:

keytool -genkey -keystore server.keystore.jks -alias localhost -validity 3650 -keyalg RSA

Enter the keystore password as prompted and record the password for later use.

The password must meet the following requirements:

Contains 8 to 32 characters.
Contains at least three of the following character types: letters, digits, spaces, and special characters `-!@#$ %^&*()-_=+\|[{}]:'",<.>/? and does not start with a hyphen (-).
Cannot be a weak password. To check whether a password is weak, enter it in 6.

Enter the information about the certificate owner as prompted, such as the name, company, organization, city, and country or region.

[root@ecs-kafka ~]# keytool -genkey -keystore server.keystore.jks -alias localhost -validity 3650 -keyalg RSA
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  Tom
What is the name of your organizational unit?
  [Unknown]:  test
What is the name of your organization?
  [Unknown]:  test01
What is the name of your City or Locality?
  [Unknown]:  nj
What is the name of your State or Province?
  [Unknown]:  js
What is the two-letter country code for this unit?
  [Unknown]:  xx
Is CN=Tom, OU=test, O=test01, L=nj, ST=js, C=xx correct?
  [no]:  y

Run the following command to generate a CA:

openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650

Enter the PEM password as prompted and record the password for later use.

The password must meet the following requirements: 4 to 1024 characters.

Enter the information about the certificate owner as prompted, such as the country or region, city, organization, company, name, and email.

[root@ecs-kafka ~]# openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650
Generating a RSA private key
............................................................................................................................................+++++
..........+++++
writing new private key to 'ca-key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:xx
State or Province Name (full name) []:js
Locality Name (eg, city) [Default City]:nj
Organization Name (eg, company) [Default Company Ltd]:test01
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:Tom 
Email Address []:xx
[root@ecs-kafka ~]#

The certificate validity can be checked only after a truststore certificate is created. Run the following command to create a server truststore certificate with the generated CA:
```
keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert
```
Enter the truststore password of the server certificate as prompted and record the password for later use.

The password must meet the following requirements:
- Contains 8 to 32 characters.
- Contains at least three of the following character types: letters, digits, spaces, and special characters `-!@#$ %^&*()-_=+\|[{}]:'",<.>/? and does not start with a hyphen (-).
- Cannot be a weak password. To check whether a password is weak, enter it in 6.
Enter y when the following information is displayed:
```
Trust this certificate?
```
Run the following command to create a client truststore certificate with the CA:
```
keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert
```
Enter the client truststore password as prompted and record the password. This password is the value of ssl.truststore.password in the configuration file used by the client to connect to the Kafka instance.

The password must meet the following requirements:
- Contains 8 to 32 characters.
- Contains at least three of the following character types: letters, digits, spaces, and special characters `-!@#$ %^&*()-_=+\|[{}]:'",<.>/? and does not start with a hyphen (-).
- Cannot be a weak password. To check whether a password is weak, enter it in 6.
Enter y when the following information is displayed:
```
Trust this certificate?
```
Sign the server certificate.
1. Export the server certificate server.cert-file.
```
keytool -keystore server.keystore.jks -alias localhost -certreq -file server.cert-file
```
  Enter the keystore password set in 1 as prompted.
2. Sign the server certificate with the CA.
```
openssl x509 -req -CA ca-cert -CAkey ca-key -in server.cert-file -out server.cert-signed -days 3650 -CAcreateserial
```
  Enter the PEM password set in 2 as prompted.
3. Import the CA certificate to the server keystore.
```
keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert
```
  Enter the keystore password set in 1 as prompted.
  Enter y when the following information is displayed:
```
Trust this certificate?
```
4. Import the signed server certificate to the server keystore.
```
keytool -keystore server.keystore.jks -alias localhost -import -file server.cert-signed
```
  Enter the keystore password set in 1 as prompted.
Export the server.keystore.jks, server.truststore.jks, and server.truststore.jks certificates to the local PC.

The server.keystore.jks and server.truststore.jks files are used to replace the keystore and truststore files in subsequent step Replacing a Certificate. client.truststore.jks is required to be stored on the client. Record the storage path and it is the value of ssl.truststore.location in the configuration file used by the client to connect to the Kafka instance.
Figure 1 Certificate directory

Step 2: Replacing a Certificate

Log in to the console.
Click in the upper left corner to select a region.

Select the same region as your application service.
Click and choose Middleware > Distributed Message Service for Kafka to open the console of DMS for Kafka.
Click the desired instance to view its details.
In the Connection area, click Re-upload next to SSL Certificate.

Figure 2 Connection information

Set the parameters for replacing the SSL certificate by referring to Table 1.

Figure 3 Replacing the SSL certificate

**Table 1** Parameters for replacing the SSL certificate
Parameter	Description
Key Password	Enter the keystore password set in 1.
Keystore Password	Enter the keystore password set in 1.
Keystore File	Import the server.keystore.jks certificate.
Truststore Password	Enter the server truststore password set in 3.
Truststore File	Import the server.truststore.jks certificate.

Click OK.
Click OK.

On the Background Tasks page, if the certificate replacement task is Successful, the certificate is successfully replaced.

After the original certificate is successfully replaced, you will download the certificate provided by DMS for Kafka rather than your own certificate by clicking Download on the Basic Information tab page.

Step 3: Modifying Client Configuration Files

After a certificate is replaced, modify the ssl.truststore.location and ssl.truststore.password parameters in the consumer.properties and producer.properties files on the client, respectively.

security.protocol=SASL_SSL
ssl.truststore.location=/opt/kafka_2.12-2.7.2/config/client.truststore.jks
ssl.truststore.password=dms@kafka
ssl.endpoint.identification.algorithm=

ssl.truststore.location: path for storing the client.truststore.jks certificate.
ssl.truststore.password: truststore password of the client certificate
ssl.endpoint.identification.algorithm: whether to verify the certificate domain name. This parameter must be left blank, which indicates disabling domain name verification.