Before beginning these steps, ensure that both OpenSSL and Java SE are installed.
A keystore is a repository of the keys required by the broker. A keystore must be created for the Ironstream Proxy Server and trusted by the broker.
The keystore must be in the PKCS12 format and contain:
The certificate authority certificate configured for the broker.
A certificate signed by that certificate authority.
The private key for that certificate.
As described in the Kafka documentation, a keystore can be created by running this command:
keytool -keystore kafka.client.keystore.jks -alias localhost -keyalg RSA
-genkey
Follow the prompts and create the keystore. When prompted for the Common Name, enter the fully-qualified domain name of the Windows/Linux system. (On some systems, the prompt may ask for First and Last name of the administrator.)
Once this command has been run, this command will need to be run to make sure it is in the PKCS12 format.
keytool -importkeystore -srckeystore kafka.client.keystore.jks -destkeystore kafka. client.keystore.jks -deststoretype pkcs12
From the newly-created keystore, a certificate signing request (CSR) should be created with this command:
keytool -keystore kafka.client.keystore.jks -alias localhost -certreq -file
cert-file
This CSR should then be signed by the certificate authority created when configuring Kafka for TLS. This can be done with this command:
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed
-days valid-days -CAcreateserial -passin pass:ca-password
Import both the certificate of the CA and the signed certificate into the keystore:
keytool -keystore kafka.client.keystore.jks -alias CARoot -import -file ca-cert
keytool -keystore kafka.client.keystore.jks -alias localhost -import -file cert-signed