Generating PEM files
You must generate keystores, trustores, and certificate files using openssl.exe and keytool.exe.
Before you begin
Access the openssl.exe file from the <CAMPAIGN_INSTALLATION_DIR_PATH>\Campaign\bin location and access the keytool.exe from the <JAVA_INSTALLATION_DIR_PATH>\jdk1.8.0_161\bin location.
Create a directory named KafkaCertificates in the confiogured Kafka workspace. For example, if you have configured Kafka workspace at C:\Workspace\kafka\Tools\, create a directory named KafkaCertificates within the Tools folder.
About this task
To generate a PEM file, complete the following steps:
Procedure
- Open the Microsoft Windows command-line console.
-
Access the KafkaCertificates directory from the Kafka
workspace, for example
C:\Workspace\kafka\Tools\KafkaCertificates, and
complete the following steps:
- Run the command set OPENSSL_CONF=CAMPAIGN_REPOSITORY_PATH\GNU\bin\x64\openssl.cnf.
-
Run the command keytool -keystore kafka.server.keystore.jks
-alias localhost -validity 365 -genkey and enter
appropriate values for the following queries:
- What is your first and last name?
- What is the name of your organizational unit?
- What is the name of your organization?
- What is the name of your City or Locality?
- What is the name of your State or Province?
- What is the two-letter country code for this unit?
- Confirmation for all entered values - Confirm with a YES if all the entered values are appropriate.
- Enter key password for <localhost> - Set a password and ensure to use the same password at later stages.
- Re-enter new password
-
Run the command openssl req -new -x509 -keyout ca-key -out
ca-cert -days 365 and enter appropriate values for the
following queries:
- Country Name (2 letter code)
- State or Province Name (full name)
- Locality Name (eg, city)
- Organization Name (eg, company)
- Organizational Unit Name (eg, section)
- Common Name (e.g. server FQDN or YOUR name)
- Email Address
-
Run the command keytool -keystore kafka.server.truststore.jks
-alias CARoot -import -file ca-cert and enter appropriate
values for the following queries:
- Enter keystore password
- Re-enter new password
-
Run the command keytool -keystore kafka.client.truststore.jks
-alias CARoot -import -file ca-cert and enter appropriate
values for the following queries:
- Enter keystore password
- Re-enter new password
- Trust this certificate? - Confirm with a YES.
-
Run the command keytool -keystore kafka.server.keystore.jks
-alias localhost -certreq -file cert-file and enter
appropriate value for the following query:
- Enter keystore password
-
Run the command openssl x509 -req -CA ca-cert -CAkey ca-key
-in cert-file -out cert-signed -days 365 -CAcreateserial -passin
pass:<password> where
<password>is the password that you set. -
Run the command keytool -keystore kafka.server.keystore.jks
-alias CARoot -import -file ca-cert and enter appropriate
value for the following query:
- Enter keystore password
-
Run the command keytool -keystore kafka.server.keystore.jks
-alias localhost -import -file cert-signed and enter
appropriate value for the following query:
- Enter keystore password
-
Run the command keytool -keystore kafka.client.keystore.jks
-alias localhost -validity 365 -genkey and enter
appropriate values for the following queries:
- What is your first and last name?
- What is the name of your organizational unit?
- What is the name of your organization?
- What is the name of your City or Locality?
- What is the name of your State or Province?
- What is the two-letter country code for this unit?
- Confirmation for all entered values - Confirm with a YES if all the entered values are appropriate.
- Enter key password for <localhost> - Press ENTER if you want to set the same password as the one set earlier for keystore.
- Re-enter new password
-
Run the command keytool -keystore kafka.client.keystore.jks
-alias localhost -certreq -file cert-file and enter
appropriate value for the following query:
- Enter keystore password
-
Run the command keytool -keystore kafka.client.keystore.jks
-alias localhost -certreq -file cert-file and enter
appropriate value for the following query:
- Enter keystore password
-
Run the command openssl x509 -req -CA ca-cert -CAkey ca-key
-in cert-file -out cert-signed -days 365 -CAcreateserial -passin
pass:<password> where
<password>is the password that you set. If you have set a new password at Step j, use that password or use the password that you set at Step b. -
Run the command keytool -keystore kafka.client.keystore.jks
-alias CARoot -import -file ca-cert and enter appropriate
value for the following query:
- Enter keystore password
- Trust this certificate? - Confirm with a YES.
-
Run the command keytool -keystore kafka.client.keystore.jks
-alias localhost -import -file cert-signed and enter
appropriate value for the following query:
- Enter keystore password
-
Run the command keytool -noprompt -keystore
kafka.client.keystore.jks -exportcert -alias localhost -rfc
-storepass <password> -file
<clientcertificate_pemfilename>.pem, where:
<password>is the password that you set. If you have set a new password at Step j, use that password or use the password that you set at Step b.<clientcertificate_pemfilename>is the name to be set for the client certificate PEM file.
-
Run the command keytool -noprompt -srckeystore
kafka.client.keystore.jks -importkeystore -srcalias localhost
-destkeystore cert_and_key.p12 -deststoretype PKCS12 -srcstorepass
<password> -storepass <password>, where
<password>is the password that you set. If you have set a new password at Step j, use that password or use the password that you set at Step b. -
Run the command openssl pkcs12 -in cert_and_key.p12 -nocerts
-nodes -passin pass:<password> -out
<clientkey_pemfilename>.pem, where:
<password>is the password that you set. If you have set a new password at Step j, use that password or use the password that you set at Step b.<clientkey_pemfilename>is the name to be set for the client key PEM file.