kafka SSL证书生成方式
一、参数准备
# hostname查看域名,然后定义三个变量 KSPASS=Password@123 IP=服务端任意IP DNS=服务端节点任意hostname # 创建文件夹 mkdir -p /opt/caTest cd /opt/caTest # 从openssl github库获取一份openssl.cnf默认配置 # 搜索v3_req,找到其位置后,将下方v3_req进行覆盖,并在其后增加alt_names [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:TRUE keyUsage = nonRepudiation, digitalSignature, keyEncipherment,dataEncipherment,cRLSign, keyCertSign subjectAltName = @alt_names [ alt_names ] IP.1 = 10.253.218.12 DNS.1 = Insight-03 IP.2 = 10.253.218.11 DNS.2 = Insight-02
二、服务端证书生成
# 生成ca证书
openssl req -new -x509 -keyout /opt/caTest/ca-key -out /opt/caTest/ca-cert -days 3650 -passout pass:${KSPASS} -subj "/C=cn/ST=beijing/L=beijing/O=aspire/OU=aspire/CN=${IP}"
# 导入ca证书到server.truststore.jks
keytool -keystore /opt/caTest/server.truststore.jks -alias CARoot -import -file /opt/caTest/ca-cert -storepass ${KSPASS}
# 生成server.keystore.jks(包含server证书)
keytool -keystore /opt/caTest/server.keystore.jks -alias ${IP} -validity 3650 -genkey -keypass ${KSPASS} -keyalg RSA -dname "CN=${IP},OU=aspire,O=aspire,L=beijing,S=beijing,C=cn" -storepass ${KSPASS} -ext SAN=DNS:${DNS}
# 导出server证书
keytool -keystore /opt/caTest/server.keystore.jks -alias ${IP} -certreq -file /opt/caTest/server.cert-file -storepass ${KSPASS}
# 使用ca证书签名server证书
openssl x509 -req -CA /opt/caTest/ca-cert -CAkey /opt/caTest/ca-key -in /opt/caTest/server.cert-file -out /opt/caTest/server.cert-signed -days 3650 -CAcreateserial -passin pass:${KSPASS} -extfile openssl.cnf -extensions v3_req
# 将ca证书导入server.keystore.jks
keytool -keystore /opt/caTest/server.keystore.jks -alias CARoot -import -file /opt/caTest/ca-cert -storepass ${KSPASS}
# 将ca签名后的server证书导入server.keystore.jks
keytool -keystore /opt/caTest/server.keystore.jks -alias ${IP} -import -file /opt/caTest/server.cert-signed -storepass ${KSPASS}
三、客户端证书签发(可选,可直接使用服务端证书作为客户端连接使用)
# 与上方基本方法一致,客户端openssl.cnf需要修改alt_names中的ip和NDS
# 定义三个常量
KSPASS=Password@123
IP=客户端任意IP
DNS=客户端节点任意hostname
# 生成证书
keytool -keystore /opt/caTest/client.truststore.jks -alias CARoot -import -file /opt/caTest/ca-cert -storepass ${KSPASS}
keytool -keystore /opt/caTest/client.keystore.jks -alias ${IP} -validity 3650 -genkey -keypass ${KSPASS} -dname "CN=${IP},OU=aspire,O=aspire,L=beijing,S=beijing,C=cn" -ext SAN=DNS:${DNS} -storepass ${KSPASS}
keytool -keystore /opt/caTest/client.keystore.jks -alias ${IP} -certreq -file /opt/caTest/client.cert-file -storepass ${KSPASS}
openssl x509 -req -CA /opt/caTest/ca-cert -CAkey /opt/caTest/ca-key -in /opt/caTest/client.cert-file -out /opt/caTest/client.cert-signed -days 3650 -CAcreateserial -passin pass:${KSPASS} -extfile openssl.cnf -extensions v3_req
keytool -keystore /opt/caTest/client.keystore.jks -alias CARoot -import -file /opt/caTest/ca-cert -storepass ${KSPASS}
keytool -keystore /opt/caTest/client.keystore.jks -alias ${IP} -import -file /opt/caTest/client.cert-signed -storepass ${KSPASS}
posted on 2022-06-06 10:03 torotoise512 阅读(591) 评论(0) 收藏 举报
浙公网安备 33010602011771号