momo-jun commented on code in PR #16924: URL: https://github.com/apache/pulsar/pull/16924#discussion_r939787187
########## site2/docs/security-tls-transport.md: ########## @@ -144,6 +146,46 @@ openssl ca -config openssl.cnf -extensions server_cert \ At this point, you have a cert, `broker.cert.pem`, and a key, `broker.key-pk8.pem`, which you can use along with `ca.cert.pem` to configure TLS transport encryption for your broker and proxy nodes. +### Client certificate + +1. Enter the command below to generate the key. + +```bash + +openssl genrsa -out client.key.pem 2048 + +``` + +The client expects the key to be in [PKCS 8](https://en.wikipedia.org/wiki/PKCS_8) format, so enter the following command to convert it. + +```bash + +openssl pkcs8 -topk8 -inform PEM -outform PEM \ + -in client.key.pem -out client.key-pk8.pem -nocrypt + +``` + +2. Enter the following command to generate the certificate request. + +```bash + +openssl req -config openssl.cnf \ + -key client.key.pem -new -sha256 -out client.csr.pem + +``` + +3. Sign it with the certificate authority by entering the command below. + +```bash + +openssl ca -config openssl.cnf -extensions client_cert \ + -days 1000 -notext -md sha256 \ + -in client.csr.pem -out client.cert.pem + +``` + +At this point, you have a cert, `client.cert.pem`, and a key, `client.key-pk8.pem`, which you can use along with `ca.cert.pem` to configure TLS transport encryption for your client. Review Comment: ```suggestion At this point, you have a cert `client.cert.pem` and a key `client.key-pk8.pem`, which you can use along with `ca.cert.pem` to configure TLS encryption for your client. ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
