This document outlines the steps needed to configure SSL/TLS for a ZooKeeper instance and multiple Kafka brokers (broker0
, broker1
, broker2
). It includes generating a Certificate Authority (CA), creating truststores and keystores, and signing certificates for secure communication.
Generate a self-signed Certificate Authority (CA) that will be used to sign the certificates for ZooKeeper and Kafka brokers.
openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650
Create a truststore for ZooKeeper to store the CA certificate.
keytool -keystore kafka.zookeeper.truststore.jks -alias ca-cert -import -file ca-cert
Create a keystore for ZooKeeper and generate a key pair for the ZooKeeper server.
keytool -keystore kafka.zookeeper.keystore.jks -alias zookeeper -validity 3650 -genkey -keyalg RSA -ext SAN=dns:localhost
Generate a Certificate Signing Request (CSR) for the ZooKeeper keystore.
keytool -keystore kafka.zookeeper.keystore.jks -alias zookeeper -certreq -file ca-request-zookeeper
Sign the CSR using the CA created in Step 1.
openssl x509 -req -CA ca-cert -CAkey ca-key -in ca-request-zookeeper -out ca-signed-zookeeper -days 3650 -CAcreateserial
Import the CA certificate into the ZooKeeper keystore.
keytool -keystore kafka.zookeeper.keystore.jks -alias ca-cert -import -file ca-cert
Import the signed certificate back into the ZooKeeper keystore.
keytool -keystore kafka.zookeeper.keystore.jks -alias zookeeper -import -file ca-signed-zookeeper
Create a truststore for the ZooKeeper client to store the CA certificate.
keytool -keystore kafka.zookeeper-client.truststore.jks -alias ca-cert -import -file ca-cert
Create a keystore for the ZooKeeper client and generate a key pair.
keytool -keystore kafka.zookeeper-client.keystore.jks -alias zookeeper -validity 3650 -genkey -keyalg RSA -ext SAN=dns:localhost
Generate a Certificate Signing Request (CSR) for the ZooKeeper client keystore.
keytool -keystore kafka.zookeeper-client.keystore.jks -alias zookeeper -certreq -file ca-request-zookeeper-client
Sign the CSR using the CA created earlier.
openssl x509 -req -CA ca-cert -CAkey ca-key -in ca-request-zookeeper-client -out ca-signed-zookeeper-client -days 3650 -CAcreateserial
Import the CA certificate into the ZooKeeper client keystore.
keytool -keystore kafka.zookeeper-client.keystore.jks -alias ca-cert -import -file ca-cert
Import the signed certificate back into the ZooKeeper client keystore.
keytool -keystore kafka.zookeeper-client.keystore.jks -alias zookeeper -import -file ca-signed-zookeeper-client
Create a truststore for Kafka broker 0 to store the CA certificate.
keytool -keystore kafka.broker0.truststore.jks -alias ca-cert -import -file ca-cert
Create a keystore for Kafka broker 0 and generate a key pair.
keytool -keystore kafka.broker0.keystore.jks -alias broker0 -validity 3650 -genkey -keyalg RSA -ext SAN=dns:localhost,dns:broker0
Generate a Certificate Signing Request (CSR) for the Kafka broker 0 keystore.
keytool -keystore kafka.broker0.keystore.jks -alias broker0 -certreq -file ca-request-broker0
Sign the CSR using the CA created earlier.
openssl x509 -req -CA ca-cert -CAkey ca-key -in ca-request-broker0 -out ca-signed-broker0 -days 3650 -CAcreateserial
Import the CA certificate into the Kafka broker 0 keystore.
keytool -keystore kafka.broker0.keystore.jks -alias ca-cert -import -file ca-cert
Import the signed certificate back into the Kafka broker 0 keystore.
keytool -keystore kafka.broker0.keystore.jks -alias broker0 -import -file ca-signed-broker0
Create a truststore for Kafka broker 1 to store the CA certificate.
keytool -keystore kafka.broker1.truststore.jks -alias ca-cert -import -file ca-cert
Create a keystore for Kafka broker 1 and generate a key pair.
keytool -keystore kafka.broker1.keystore.jks -alias broker1 -validity 3650 -genkey -keyalg RSA -ext SAN=dns:localhost,dns:broker1
Generate a Certificate Signing Request (CSR) for the Kafka broker 1 keystore.
keytool -keystore kafka.broker1.keystore.jks -alias broker1 -certreq -file ca-request-broker1
Sign the CSR using the CA created earlier.
openssl x509 -req -CA ca-cert -CAkey ca-key -in ca-request-broker1 -out ca-signed-broker1 -days 3650 -CAcreateserial
Import the CA certificate into the Kafka broker 1 keystore.
keytool -keystore kafka.broker1.keystore.jks -alias ca-cert -import -file ca-cert
Import the signed certificate back into the Kafka broker 1 keystore.
keytool -keystore kafka.broker1.keystore.jks -alias broker1 -import -file ca-signed-broker1
Create a truststore for Kafka broker 2 to store the CA certificate.
keytool -keystore kafka.broker2.truststore.jks -alias ca-cert -import -file ca-cert
Create a keystore for Kafka broker 2 and generate a key pair.
keytool -keystore kafka.broker2.keystore.jks -alias broker2 -validity 3650 -genkey -keyalg RSA -ext SAN=dns:localhost,dns:broker2
Generate a Certificate Signing Request (CSR) for the Kafka broker 2 keystore.
keytool -keystore kafka.broker2.keystore.jks -alias broker2 -certreq -file ca-request-broker2
Sign the CSR using the CA created earlier.
openssl x509 -req -CA ca-cert -CAkey ca-key -in ca-request-broker2 -out ca-signed-broker2 -days 3650 -CAcreateserial
Import the CA certificate into the Kafka broker 2 keystore.
keytool -keystore kafka.broker2.keystore.jks -alias ca-cert -import -file ca-cert
Import the signed certificate back into the Kafka broker 2 keystore.
keytool -keystore kafka.broker2.keystore.jks -alias broker2 -import -file ca-signed-broker2
By following these commands, you will have successfully set up SSL/TLS for your ZooKeeper instance, ZooKeeper client, and all three Kafka brokers (broker0
, broker1
, broker2
). Each component will use a certificate signed by the same Certificate Authority, ensuring trusted and secure communication across the entire Kafka cluster.