From 504c3309e8dd90c4e2d66330bd9394753a9d5728 Mon Sep 17 00:00:00 2001 From: nasark Date: Sun, 9 Apr 2023 16:40:35 -0400 Subject: [PATCH 1/2] add script to generate kafka keystores --- tools/keystore_generator.sh | 46 +++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100755 tools/keystore_generator.sh diff --git a/tools/keystore_generator.sh b/tools/keystore_generator.sh new file mode 100755 index 000000000..b4d967500 --- /dev/null +++ b/tools/keystore_generator.sh @@ -0,0 +1,46 @@ +#!/usr/bin/env bash + +set -e + +CA_CERT_PATH=$CA_CERT_PATH +CA_KEY_PATH=$CA_KEY_PATH +KEYSTORE_PASS=$KEYSTORE_PASS + +if [ ! -e "$CA_CERT_PATH" ] || [ ! -e "$CA_KEY_PATH" ]; then + echo "CA does not exist, please provide the corrrect paths in CA_CERT_PATH and CA_KEY_PATH" + exit 1 +fi + +if [ -z "$KEYSTORE_PASS" ]; then + echo "Please provide a keystore password in KEYSTORE_PASS" + exit 1 +fi + +# Generate truststore containing CA +keytool -keystore ./kafka.truststore.jks \ + -alias CARoot -import -file $CA_CERT_PATH \ + -noprompt -dname "CN=kafka" -keypass $KEYSTORE_PASS -storepass $KEYSTORE_PASS + +# Generate keystore +keytool -keystore ./kafka.keystore.jks \ + -alias kafka -validity 365 -genkey -keyalg RSA \ + -noprompt -dname "CN=kafka" -keypass $KEYSTORE_PASS -storepass $KEYSTORE_PASS + +# Create certificate signing request to keystore +keytool -keystore ./kafka.keystore.jks -alias kafka \ + -certreq -file cert-sign-req -keypass $KEYSTORE_PASS -storepass $KEYSTORE_PASS + +# Sign keystore's certificate using CA key +openssl x509 -req -CA $CA_CERT_PATH -CAkey $CA_KEY_PATH \ + -in ./cert-sign-req -out cert-sign \ + -days 365 -CAcreateserial + +# Import CA into keystore +keytool -keystore ./kafka.keystore.jks -alias CARoot \ + -import -file $CA_CERT_PATH -keypass $KEYSTORE_PASS -storepass $KEYSTORE_PASS -noprompt + +# Import signed certificate back into keystore +keytool -keystore ./kafka.keystore.jks -alias kafka -import \ + -file ./cert-sign -keypass $KEYSTORE_PASS -storepass $KEYSTORE_PASS + +echo "Truststore and keystore have been successfully created" From 7b8780aacdbe904fadb5876ed31eed3604160df4 Mon Sep 17 00:00:00 2001 From: nasark Date: Sun, 9 Apr 2023 16:42:44 -0400 Subject: [PATCH 2/2] remove kafka cert generation from cert_generator script --- tools/cert_generator.rb | 1 - tools/keystore_generator.sh | 11 ++++++++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/tools/cert_generator.rb b/tools/cert_generator.rb index 8a98caf03..213116a1d 100755 --- a/tools/cert_generator.rb +++ b/tools/cert_generator.rb @@ -69,7 +69,6 @@ def generate_cert(dest, *sans) c = CertGenerator.new c.generate_cert("httpd") -c.generate_cert("kafka") c.generate_cert("memcached") c.generate_cert("postgresql") diff --git a/tools/keystore_generator.sh b/tools/keystore_generator.sh index b4d967500..165171985 100755 --- a/tools/keystore_generator.sh +++ b/tools/keystore_generator.sh @@ -2,9 +2,14 @@ set -e -CA_CERT_PATH=$CA_CERT_PATH -CA_KEY_PATH=$CA_KEY_PATH -KEYSTORE_PASS=$KEYSTORE_PASS +echo "Enter CA cert path:" +read CA_CERT_PATH + +echo "Enter CA key path:" +read CA_KEY_PATH + +echo "Set Keystore password:" +read KEYSTORE_PASS if [ ! -e "$CA_CERT_PATH" ] || [ ! -e "$CA_KEY_PATH" ]; then echo "CA does not exist, please provide the corrrect paths in CA_CERT_PATH and CA_KEY_PATH"