Jennifer88huang commented on a change in pull request #5038: [doc] Improve Pulsar security-tls-authentication URL: https://github.com/apache/pulsar/pull/5038#discussion_r317904010
########## File path: site2/docs/security-tls-authentication.md ########## @@ -6,47 +6,48 @@ sidebar_label: Authentication using TLS ## TLS Authentication Overview -TLS authentication is an extension of [TLS transport encryption](security-tls-transport.md), but instead of only servers having keys and certs which the client uses to verify the server's identity, clients also have keys and certs which the server uses to verify the client's identity. You must have TLS transport encryption configured on your cluster before you can use TLS authentication. This guide assumes you already have TLS transport encryption configured. +TLS authentication is an extension of [TLS transport encryption](security-tls-transport.md). Not only servers have keys and certs that the client uses to verify the identity of servers, clients also have keys and certs that the server uses to verify the identity of clients . You must have TLS transport encryption configured on your cluster before you can use TLS authentication. This guide assumes you already have TLS transport encryption configured. -### Creating client certificates +### Create client certificates -Client certificates are generated using the same certificate authority as was used to generate the server certificates. +The server certificates use a certificate authority to generate the server certificates. You can use the same certificate authority as the server used to generate client certificates. The biggest difference between client certs and server certs is that the **common name** for the client certificate is the **role token** which that client will be authenticated as. -First generate the key. +First, you need to generate the key using the follwing command: + ```bash $ openssl genrsa -out admin.key.pem 2048 ``` -Similar to the broker, the client expects the key to be in [PKCS 8](https://en.wikipedia.org/wiki/PKCS_8) format, so convert it. +Similar to the broker, the client expects the key to be in [PKCS 8](https://en.wikipedia.org/wiki/PKCS_8) format, so you need to convert it by running the follwing command: ```bash $ openssl pkcs8 -topk8 -inform PEM -outform PEM \ -in admin.key.pem -out admin.key-pk8.pem -nocrypt ``` -Generate the certificate request. When asked for a **common name**, enter the **role token** which you want this key pair to authenticate a client as. +Next, generate the certificate request using the command below. When you are asked for a **common name**, enter the **role token** that you want this key pair to authenticate a client as. ```bash $ openssl req -config openssl.cnf \ -key admin.key.pem -new -sha256 -out admin.csr.pem ``` > Note -> If there is no openssl.cnf, please read [Certificate authority](http://pulsar.apache.org/docs/en/security-tls-transport/#certificate-authority) to get the openssl.cnf. +> If openssl.cnf is not specified, read [Certificate authority](http://pulsar.apache.org/docs/en/security-tls-transport/#certificate-authority) to get the openssl.cnf. -Sign with request with the certificate authority. Note that that client certs uses the **usr_cert** extension, which allows the cert to be used for client authentication. +Then, sign with request with the certificate authority using the command below. Note that that client certs uses the **usr_cert** extension, which allows the cert to be used for client authentication. ```bash $ openssl ca -config openssl.cnf -extensions usr_cert \ -days 1000 -notext -md sha256 \ -in admin.csr.pem -out admin.cert.pem ``` -This will give you a cert, `admin.cert.pem`, and a key, `admin.key-pk8.pem`, which, with `ca.cert.pem`, can be used by clients to authenticate themselves to brokers and proxies as the role token ``admin``. +You can get a cert, `admin.cert.pem`, and a key, `admin.key-pk8.pem` from this command. With `ca.cert.pem`, clients can used this cert and this key to authenticate themselves to brokers and proxies as the role token ``admin``. Review comment: Consult an eng whether you understand this sentence correctly. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
