We use cookies to ensure you get the best experience on our website
首頁 探索 說明
註冊 登入
0ct0pu5
/
kafka-ui
1
0
複刻 0
Files 問題管理 0 合併請求 0 Wiki
分支: master
分支列表 標籤列表
kafka-ui
/
documentation
/
compose
/
ssl
/
generate_certs.sh

generate_certs.sh 6.1 KB
永久連結 文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176 
  1. #!/usr/bin/env bash
    2. 

  2. 

  3. set -eu
    4. 

  4. 

  5. KEYSTORE_FILENAME="kafka.keystore.jks"
    6. 

  6. VALIDITY_IN_DAYS=3650
    7. 

  7. DEFAULT_TRUSTSTORE_FILENAME="kafka.truststore.jks"
    8. 

  8. TRUSTSTORE_WORKING_DIRECTORY="truststore"
    9. 

  9. KEYSTORE_WORKING_DIRECTORY="keystore"
    10. 

  10. CA_CERT_FILE="ca-cert"
    11. 

  11. KEYSTORE_SIGN_REQUEST="cert-file"
    12. 

  12. KEYSTORE_SIGN_REQUEST_SRL="ca-cert.srl"
    13. 

  13. KEYSTORE_SIGNED_CERT="cert-signed"
    14. 

  14. 

  15. export COUNTRY=US
    16. 

  16. export STATE=IL
    17. 

  17. export ORGANIZATION_UNIT=SE
    18. 

  18. export CITY=Chicago
    19. 

  19. export PASSWORD=secret
    20. 

  20. 

  21. COUNTRY=$COUNTRY
    22. 

  22. STATE=$STATE
    23. 

  23. OU=$ORGANIZATION_UNIT
    24. 

  24. CN=kafka0 # COMMON NAME VERIFICATION GOES BRR
    25. 

  25. LOCATION=$CITY
    26. 

  26. PASS=$PASSWORD
    27. 

  27. 

  28. function file_exists_and_exit() {
    29. 

  29.   echo "'$1' cannot exist. Move or delete it before"
    30. 

  30.   echo "re-running this script."
    31. 

  31.   exit 1
    32. 

  32. }
    33. 

  33. 

  34. if [ -e "$KEYSTORE_WORKING_DIRECTORY" ]; then
    35. 

  35.   file_exists_and_exit $KEYSTORE_WORKING_DIRECTORY
    36. 

  36. fi
    37. 

  37. 

  38. if [ -e "$CA_CERT_FILE" ]; then
    39. 

  39.   file_exists_and_exit $CA_CERT_FILE
    40. 

  40. fi
    41. 

  41. 

  42. if [ -e "$KEYSTORE_SIGN_REQUEST" ]; then
    43. 

  43.   file_exists_and_exit $KEYSTORE_SIGN_REQUEST
    44. 

  44. fi
    45. 

  45. 

  46. if [ -e "$KEYSTORE_SIGN_REQUEST_SRL" ]; then
    47. 

  47.   file_exists_and_exit $KEYSTORE_SIGN_REQUEST_SRL
    48. 

  48. fi
    49. 

  49. 

  50. if [ -e "$KEYSTORE_SIGNED_CERT" ]; then
    51. 

  51.   file_exists_and_exit $KEYSTORE_SIGNED_CERT
    52. 

  52. fi
    53. 

  53. 

  54. echo "Welcome to the Kafka SSL keystore and trust store generator script."
    55. 

  55. 

  56. trust_store_file=""
    57. 

  57. trust_store_private_key_file=""
    58. 

  58. 

  59.   if [ -e "$TRUSTSTORE_WORKING_DIRECTORY" ]; then
    60. 

  60.     file_exists_and_exit $TRUSTSTORE_WORKING_DIRECTORY
    61. 

  61.   fi
    62. 

  62. 

  63.   mkdir $TRUSTSTORE_WORKING_DIRECTORY
    64. 

  64.   echo
    65. 

  65.   echo "OK, we'll generate a trust store and associated private key."
    66. 

  66.   echo
    67. 

  67.   echo "First, the private key."
    68. 

  68.   echo
    69. 

  69. 

  70.   openssl req -new -x509 -keyout $TRUSTSTORE_WORKING_DIRECTORY/ca-key \
    71. 

  71.     -out $TRUSTSTORE_WORKING_DIRECTORY/ca-cert -days $VALIDITY_IN_DAYS -nodes \
    72. 

  72.     -subj "/C=$COUNTRY/ST=$STATE/L=$LOCATION/O=$OU/CN=$CN"
    73. 

  73. 

  74.   trust_store_private_key_file="$TRUSTSTORE_WORKING_DIRECTORY/ca-key"
    75. 

  75. 

  76.   echo
    77. 

  77.   echo "Two files were created:"
    78. 

  78.   echo " - $TRUSTSTORE_WORKING_DIRECTORY/ca-key -- the private key used later to"
    79. 

  79.   echo "   sign certificates"
    80. 

  80.   echo " - $TRUSTSTORE_WORKING_DIRECTORY/ca-cert -- the certificate that will be"
    81. 

  81.   echo "   stored in the trust store in a moment and serve as the certificate"
    82. 

  82.   echo "   authority (CA). Once this certificate has been stored in the trust"
    83. 

  83.   echo "   store, it will be deleted. It can be retrieved from the trust store via:"
    84. 

  84.   echo "   $ keytool -keystore <trust-store-file> -export -alias CARoot -rfc"
    85. 

  85. 

  86.   echo
    87. 

  87.   echo "Now the trust store will be generated from the certificate."
    88. 

  88.   echo
    89. 

  89. 

  90.   keytool -keystore $TRUSTSTORE_WORKING_DIRECTORY/$DEFAULT_TRUSTSTORE_FILENAME \
    91. 

  91.     -alias CARoot -import -file $TRUSTSTORE_WORKING_DIRECTORY/ca-cert \
    92. 

  92.     -noprompt -dname "C=$COUNTRY, ST=$STATE, L=$LOCATION, O=$OU, CN=$CN" -keypass $PASS -storepass $PASS -storetype JKS
    93. 

  93. 

  94.   trust_store_file="$TRUSTSTORE_WORKING_DIRECTORY/$DEFAULT_TRUSTSTORE_FILENAME"
    95. 

  95. 

  96.   echo
    97. 

  97.   echo "$TRUSTSTORE_WORKING_DIRECTORY/$DEFAULT_TRUSTSTORE_FILENAME was created."
    98. 

  98. 

  99.   # don't need the cert because it's in the trust store.
    100. 

  100.   rm $TRUSTSTORE_WORKING_DIRECTORY/$CA_CERT_FILE
    101. 

  101. 

  102. echo
    103. 

  103. echo "Continuing with:"
    104. 

  104. echo " - trust store file:        $trust_store_file"
    105. 

  105. echo " - trust store private key: $trust_store_private_key_file"
    106. 

  106. 

  107. mkdir $KEYSTORE_WORKING_DIRECTORY
    108. 

  108. 

  109. echo
    110. 

  110. echo "Now, a keystore will be generated. Each broker and logical client needs its own"
    111. 

  111. echo "keystore. This script will create only one keystore. Run this script multiple"
    112. 

  112. echo "times for multiple keystores."
    113. 

  113. echo
    114. 

  114. echo "     NOTE: currently in Kafka, the Common Name (CN) does not need to be the FQDN of"
    115. 

  115. echo "           this host. However, at some point, this may change. As such, make the CN"
    116. 

  116. echo "           the FQDN. Some operating systems call the CN prompt 'first / last name'"
    117. 

  117. 

  118. # To learn more about CNs and FQDNs, read:
    119. 

  119. # https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/X509ExtendedTrustManager.html
    120. 

  120. 

  121. keytool -keystore $KEYSTORE_WORKING_DIRECTORY/$KEYSTORE_FILENAME \
    122. 

  122.   -alias localhost -validity $VALIDITY_IN_DAYS -genkey -keyalg RSA \
    123. 

  123.    -noprompt -dname "C=$COUNTRY, ST=$STATE, L=$LOCATION, O=$OU, CN=$CN" -keypass $PASS -storepass $PASS -storetype JKS
    124. 

  124. 

  125. echo
    126. 

  126. echo "'$KEYSTORE_WORKING_DIRECTORY/$KEYSTORE_FILENAME' now contains a key pair and a"
    127. 

  127. echo "self-signed certificate. Again, this keystore can only be used for one broker or"
    128. 

  128. echo "one logical client. Other brokers or clients need to generate their own keystores."
    129. 

  129. 

  130. echo
    131. 

  131. echo "Fetching the certificate from the trust store and storing in $CA_CERT_FILE."
    132. 

  132. echo
    133. 

  133. 

  134. keytool -keystore $trust_store_file -export -alias CARoot -rfc -file $CA_CERT_FILE -keypass $PASS -storepass $PASS
    135. 

  135. 

  136. echo
    137. 

  137. echo "Now a certificate signing request will be made to the keystore."
    138. 

  138. echo
    139. 

  139. keytool -keystore $KEYSTORE_WORKING_DIRECTORY/$KEYSTORE_FILENAME -alias localhost \
    140. 

  140.   -certreq -file $KEYSTORE_SIGN_REQUEST -keypass $PASS -storepass $PASS
    141. 

  141. 

  142. echo
    143. 

  143. echo "Now the trust store's private key (CA) will sign the keystore's certificate."
    144. 

  144. echo
    145. 

  145. openssl x509 -req -CA $CA_CERT_FILE -CAkey $trust_store_private_key_file \
    146. 

  146.   -in $KEYSTORE_SIGN_REQUEST -out $KEYSTORE_SIGNED_CERT \
    147. 

  147.   -days $VALIDITY_IN_DAYS -CAcreateserial \
    148. 

  148.   -extensions kafka -extfile san.cnf
    149. 

  149. # creates $KEYSTORE_SIGN_REQUEST_SRL which is never used or needed.
    150. 

  150. 

  151. echo
    152. 

  152. echo "Now the CA will be imported into the keystore."
    153. 

  153. echo
    154. 

  154. keytool -keystore $KEYSTORE_WORKING_DIRECTORY/$KEYSTORE_FILENAME -alias CARoot \
    155. 

  155.   -import -file $CA_CERT_FILE -keypass $PASS -storepass $PASS -noprompt
    156. 

  156. rm $CA_CERT_FILE # delete the trust store cert because it's stored in the trust store.
    157. 

  157. 

  158. echo
    159. 

  159. echo "Now the keystore's signed certificate will be imported back into the keystore."
    160. 

  160. echo
    161. 

  161. keytool -keystore $KEYSTORE_WORKING_DIRECTORY/$KEYSTORE_FILENAME -alias localhost -import \
    162. 

  162.   -file $KEYSTORE_SIGNED_CERT -keypass $PASS -storepass $PASS
    163. 

  163. 

  164. echo
    165. 

  165. echo "All done!"
    166. 

  166. echo
    167. 

  167. echo "Deleting intermediate files. They are:"
    168. 

  168. echo " - '$KEYSTORE_SIGN_REQUEST_SRL': CA serial number"
    169. 

  169. echo " - '$KEYSTORE_SIGN_REQUEST': the keystore's certificate signing request"
    170. 

  170. echo "   (that was fulfilled)"
    171. 

  171. echo " - '$KEYSTORE_SIGNED_CERT': the keystore's certificate, signed by the CA, and stored back"
    172. 

  172. echo "    into the keystore"
    173. 

  173. 

  174.   rm $KEYSTORE_SIGN_REQUEST_SRL
    175. 

  175.   rm $KEYSTORE_SIGN_REQUEST
    176. 

  176.   rm $KEYSTORE_SIGNED_CERT
    177.

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5