The default format is jks,
use keytool to create a Java KeyStore (JKS) with the certificate and key for use by Kafka. You'll be prompted to create a new password for the resulting file as well as enter the password for the PKCS12 file from the previous step. Hang onto the new JKS password for use in configuration below. $ keytool -importkeystore -srckeystore server.p12 -destkeystore kafka.server.keystore.jks -srcstoretype pkcs12 -alias myserver.internal.net Note: It's safe to ignore the following warning from keytool. The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore server.p12 -destkeystore kafka.server.keystore.jks -srcstoretype pkcs12" בתאריך יום ו׳, 4 ביוני 2021, 07:40, מאת Dhirendra Singh < dhirendr...@gmail.com>: > I am trying to setup 2 way ssl authentication. My requirement is broker > should authenticate only specific clients. > My organization has a CA which issue all certificates in pkcs12 format. > steps i followed are as follows. > > 1. get a certificate for the broker and configured it in the broker > keystore > ssl.keystore.location=/home/kafka/certificate.p12 > ssl.keystore.password=xxxxx > ssl.client.auth=required > 2. get a certificate for the client and configured it in the client > keystore > ssl.keystore.location=/home/kafka/certificate.p12 > ssl.keystore.password=xxxxx > 3. extracted the public certificate from the client certificate using > keytool command > keytool -export -file cert -keystore certificate.p12 -alias "12345" > -storetype pkcs12 -storepass xxxxx > 4. imported the certificate into broker truststore. broker truststore > contains only the client 12345 certificate. > keytool -keystore truststore.p12 -import -file cert -alias 12345 > -storetype pkcs12 -storepass xxxxx -noprompt > 5. configured the truststore in the broker. > ssl.truststore.location=/home/kafka/truststore.p12 > ssl.truststore.password=xxxxx > 6. configured the truststore in client. client truststore contains CA > certificates. > ssl.truststore.location=/etc/pki/java/cacerts > ssl.truststore.password=xxxxx > > When i run the broker and client i expect the broker to authenticate the > client and establish ssl connection. but instead following error is thrown. > [2021-06-03 23:32:06,864] ERROR [AdminClient clientId=adminclient-1] > Connection to node -1 (abc.com/10.129.140.212:9093) failed authentication > due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient) > [2021-06-03 23:32:06,866] WARN [AdminClient clientId=adminclient-1] > Metadata update failed due to authentication error > (org.apache.kafka.clients.admin.internals.AdminMetadataManager) > org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake > failed > Caused by: javax.net.ssl.SSLProtocolException: Unexpected handshake > message: server_hello > > I tried various things but nothing seems to work. when i replace the broker > truststore with /etc/pki/java/cacerts truststore file which contains only > the CA certificate > then it works fine. but it will authenticate any client which has > certificate issued by the CA. > > what could be the issue ? >
