Hello, Igor.
Yes, we can.
But, it requires access
a. To the broker server via SSH
b. To the JKS file itself: One who wants to get params must know JKS
password and has read permission for the file.
It seems to me that this kind of permissions is too high for a simple «know
when cert will expire» task.
My idea is to expose SSL param with AdminCommand so they can be easily obtained
and used in some kind of automation or alerting or third-party UI tool.
What do you think?
> 3 дек. 2020 г., в 12:32, Igor Soarez <[email protected]> написал(а):
>
> Hi Nikolay,
>
> You can use OpenSSL s_client to check all these things.
>
> https://www.openssl.org/docs/manmaster/man1/s_client.html
>
> --
> Igor
>
> On Wed, Dec 2, 2020, at 5:44 PM, Nikolay Izhikov wrote:
>> Hello.
>>
>> Kafka has an ability to configure SSL connections between brokers and
>> clients.
>> SSL certificates has different params such as
>> * issuer
>> * CN
>> * validity date
>> and so on.
>>
>> Values of these parameters important during maintenance:
>> * checking correctness of deployment
>> * planning for certification renewal (validity date)
>>
>> AFAIK, Kafka doesn’t have a standard way to expose parameters of
>> configured SSL certificates.
>>
>> I think we can return those parameters as a result of some Admin command.
>>
>> `./bin/kafka-configs.sh —entity-type ssl-certificates —describe`
>>
>> What do you think?
>> I can create KIP if this idea is supported by the community.
