...
openssl req -x509 -newkey rsa:4096 -extensions SAN \-reqexts SAN \-subj '/C=US/CN=*.domain.com' \-config <(echo "[req]"; echo "distinguished_name=req"; echo "[SAN]"; \echo "subjectAltName=DNS:node1-hostname,IP:node1-ip,DNS:node2-hostname,IP:node1-ip,...") \-keyout kafka-server-key.pem -out kafka-server-cert.pem -days 365 -nodes
In the above command line the CN should contain the domain name for the servers on which MC2/Kafka Service will be running. The subjectAltName should contain a list of host names and IP addresses for the servers on which MC2/Kafka is running in the specified format, separated by comma.
Note: if a CA certificate is available you can save them as kafka-server-key.pem and kafka-server-cert.pem and follow the instructions below. The CA certificate must contain the SubjectAltName and a wildcard CN (common name).
2. Create a PEM file with server key and certificate, which will be used to create the Java JKS keystore:
...
openssl req -x509 -newkey rsa:4096 -extensions SAN \-reqexts SAN \-subj '/C=US/CN=*.domain.com' \-config <(echo "[req]"; echo "distinguished_name=req"; echo "[SAN]"; \echo "subjectAltName=DNS:node1-hostname,IP:node1-ip,DNS:node2-hostname,IP:node1-ip,...") \-keyout keyfile.pem -out certfile.pem -days 365
In the above command line the CN should contain the domain name for the servers on which MC2/Kafka Service will be running. The subjectAltName should contain a list of host names and IP addresses for the servers on which MC2/Kafka is running in the specified format, separated by comma.
Write down the password used when creating the certificate. We will refer to this password as client_cert_password
Note: if a CA certificate is available you can save them as keyfile.pem and certfile.pem and follow the instructions below. The CA certificate must contain the SubjectAltName and a wildcard CN (common name).
2. Create a PEM file with server key and certificate, which will be used to create the Java JKS keystore:
...