Kafka-TLS-Client.sh

# cd ~/certs/

# cloud_user@ip-10-0-1-101:~/certs$ ls
# ca-cert  ca-key

# Generate a client certificate. Choose a password for the client keystore when prompted.
keytool -keystore client.keystore.jks -alias kafkauser -validity 365 -genkey -keyalg RSA -dname "CN=kafkauser, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown"


# Sign the key, then import the certificate authority and signed key into the keystore. When asked for the password to the ca-key, enter the password AllTheKeys:
keytool -keystore client.keystore.jks -alias kafkauser -certreq -file client-cert-file
openssl x509 -req -CA ca-cert -CAkey ca-key -in client-cert-file -out client-cert-signed -days 365 -CAcreateserial
keytool -keystore client.keystore.jks -alias CARoot -import -file ca-cert
keytool -keystore client.keystore.jks -alias kafkauser -import -file client-cert-signed

# Move the client keystore into an appropriate location:
sudo cp client.keystore.jks /var/private/ssl/
sudo chown root:root /var/private/ssl/client.keystore.jks

# Set client authentication to required in server.properties:
sudo vi /etc/kafka/server.properties

# Locate the line that begins with ssl.client.auth and change it:
ssl.client.auth=required

# Restart Kafka and then verify that everything is working:
sudo systemctl restart confluent-kafka
sudo systemctl status confluent-kafka


# Edit client-ssl.properties:
vi client-ssl.properties

# Add the following lines:
ssl.keystore.location=/var/private/ssl/client.keystore.jks
ssl.keystore.password=<your client keystore password>
ssl.key.password=<your client key password>

# Create a console consumer using client authentication to make verify that everything is working:
kafka-console-consumer --bootstrap-server zoo1:9093 --topic inventory_purchases --from-beginning --consumer.config client-ssl.properties