Support Questions
Find answers, ask questions, and share your expertise

How to secure Kafka Broker Server with a SSL Company signed certificate instead Self signed certificate

New Contributor

 

Now I used SSL with Kafka nodes that made from Self cert but it cannot pass audit by infra team. I need to adapt company cert without using self cert to use with syntax look likes as follow :

 

openssl req -new -sha256 -nodes -newkey rsa:2048 -config <(

cat <<-EOF

[req]

default_bits = 2048

prompt = no

default_md = sha256

req_extensions = req_ext

distinguished_name = dn

SamplePassword123

[ dn ]

C=TH

ST=Bangkok

L=Chaxxx

O=xtac Public Company Limited

OU=Enterprise Service Support

emailAddress=john.doe@xtac.co.th

CN = rs-xxx-hmb-201.xtac.dev

 

[ req_ext ]

subjectAltName = @alt_names

 

[ alt_names ]

DNS.1 = rs-xxx-hmb-201

DNS.2 = rs-xxx-hmb-201.xtac.dev

 

EOF

)

 

It cannot use all of these syntax, please help me how should I do or what I did it wrong??

1 ACCEPTED SOLUTION

Accepted Solutions

Cloudera Employee

@vorraluck, Following is the error I see, which points to the parameter 'SamplePassword123'. You're missing "=" sign in this parameter as the error hints.

 

# openssl req -new -sha256 -nodes -newkey rsa:2048 -config /tmp/openssl.cnf
error on line 13 of /tmp/openssl.cnf
140163633919888:error:0E079065:configuration file routines:DEF_LOAD_BIO:missing equal sign:conf_def.c:345:line 13

 

Change SamplePassword123 to SamplePassword = 123. Once the change is made, both the private key and the CSR file can be created. 

 

[root@node1 ~]# openssl req -new -sha256 -nodes -newkey rsa:2048 -config <(
>
> cat <<-EOF
>
> [req]
>
> default_bits = 2048
>
> prompt = no
>
> default_md = sha256
>
> req_extensions = req_ext
>
> distinguished_name = dn
>
> SamplePassword = 123
>
> [ dn ]
>
> C=TH
>
> ST=Bangkok
>
> L=Chaxxx
>
> O=xtac Public Company Limited
>
> OU=Enterprise Service Support
>
> emailAddress=john.doe@xtac.co.th
>
> CN = rs-xxx-hmb-201.xtac.dev
>
>
>
> [ req_ext ]
>
> subjectAltName = @alt_names
>
>
>
> [ alt_names ]
>
> DNS.1 = rs-xxx-hmb-201
>
> DNS.2 = rs-xxx-hmb-201.xtac.dev
>
>
>
> EOF
>
> )
Generating a 2048 bit RSA private key
.+++
.....................................................................................................................................................................................................................+++
writing new private key to stdout
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC0PnXQOdpbKGso
wNY7K+pYItm3G4/yL7HYjViUzxQsEZasIypZrYIY8KqF64bndEf002YkaHcEDCFR
xr59eBfpmXYWezl89ZeRU2YEL5188ubSrkdo/P0IdBSGAbu1/2WlQ26AyIHTkG96
ppsOa25vbKPdOmPh37ylB0C1ghCk6utib5/HAiIt0X9YqGERfnTVXpo/fRzxSHdb
7eioxFx0CP38Vzo/wXQP2FDwa3bw0MTNNF813ttC0yzRpcFf4ACde2jzFpehgtY0
E3yvq7/gVURibZgg6MSVVrg/dzjlReiRFxQOO4XDcuNn1VLSJ23UOT4wXwszKIe2
e7nNPtb5AgMBAAECggEAEhorzuvgiEM47/DeEzdH4+4sG33DKTmtDOi1OszJY9uo
XEVz3WnVpReWqLiM5fYBvA73NTTgryFgv0vMmeFT1Xw6JeveTDSGMmxD1KvLj179
267xMRQnfY/a99J4vcCWvtBU6s44a70X1SOicwJLJxmsI23X1jmYQqLF1vTnIwjh
of6e6jQWeE1nyrhHctqlyYfFNat6uK8NfJ21PTb4yfjp5dhefgaIK/9qOB9SKMwk
LFXLGVlePBFziadY8spbRl56mcbEC6mgbXff4Zbzy5QhXxQaN38358G5fSGpsgiQ
44rTFrC2PTPzS1HeGpqdAwhqFU5lEXnMVegS43ZeAQKBgQDrngKDgKnXY/HBO9E0
OAzC2j+O6BBalPl65f9l6rhiZo8QwhcJciMyCkgnDxnXb/FkKcBmLx+QJXjYguQ4
zkXMEqCS5Bz+jrwnQrnAh/TIlKyZPxy2qpJUvUJND8DZ7ZMVmBycOPI4gFjoIx/G
U0kPPdgHhdRtL/Uv2XsXBM4/4QKBgQDD1ibpDuvAd2x1EKAEWwj3v/Ee41am+Q9Z
WjFWDmS7jV8EYPqOrYedKyaY0t5ArOOKUHRiOp0VOsTWF7m7NAzwmvdspV0YeShh
qCPuWWOGBATjVOMmPgqKBUn3U67y7pZRX6tpOlcwj8sB6KQRpm9NpLcMSFrDWxEz
oCgLHVXaGQKBgQDQirxC1GB/SfCyTVVvWKTC2hUjUXcYFX9zLZsOA+BLB+dct81Y
CPPp2HvgRldi/au0MdgfGVpgZSo+yCtjs/7HDz2chda74G3cegyawjsARcc2pEuv
ye1Wn2TNfEH/IW3r0QSRqT2KkN8gJ+Z5zUF/AgfxMJzCP45OWbm+t/wtQQKBgCou
Yksor5bRIkdEwXKuuQvECAeDKBLm6mtwhdfnWcMb/C9RRCafMeqkdLfOE5kSpCAS
nD7cKSF9exAyJAsyducMOebo51hyIESIltSr5EflbbgZfKOsEVEROpFPMQuaYD4+
wQj1S/plvnA2z8ANfUPYCqVWoFYbs2TPRlC+jNNhAoGAPgGiUz+4lDvQL62R6xDP
R8OUGhmfB37nQy4NFNaiRxQW9TSdrg09cb3CS04IjyH9QQmetRyhZSXCYCu7H/bf
H/rR5S7/e5WKgtgAIpNhYNXg1p6zoac6cXBYUO4ekf/PR70cFXAQdzFt/sQIExiy
SV6SL1F3ja/sn9/wUXkvZgc=
-----END PRIVATE KEY-----
-----
-----BEGIN CERTIFICATE REQUEST-----
MIIDTDCCAjQCAQAwgcExCzAJBgNVBAYTAlRIMRAwDgYDVQQIDAdCYW5na29rMQ8w
DQYDVQQHDAZDaGF4eHgxJDAiBgNVBAoMG3h0YWMgUHVibGljIENvbXBhbnkgTGlt
aXRlZDEjMCEGA1UECwwaRW50ZXJwcmlzZSBTZXJ2aWNlIFN1cHBvcnQxIjAgBgkq
hkiG9w0BCQEWE2pvaG4uZG9lQHh0YWMuY28udGgxIDAeBgNVBAMMF3JzLXh4eC1o
bWItMjAxLnh0YWMuZGV2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
tD510DnaWyhrKMDWOyvqWCLZtxuP8i+x2I1YlM8ULBGWrCMqWa2CGPCqheuG53RH
9NNmJGh3BAwhUca+fXgX6Zl2Fns5fPWXkVNmBC+dfPLm0q5HaPz9CHQUhgG7tf9l
pUNugMiB05BveqabDmtub2yj3Tpj4d+8pQdAtYIQpOrrYm+fxwIiLdF/WKhhEX50
1V6aP30c8Uh3W+3oqMRcdAj9/Fc6P8F0D9hQ8Gt28NDEzTRfNd7bQtMs0aXBX+AA
nXto8xaXoYLWNBN8r6u/4FVEYm2YIOjElVa4P3c45UXokRcUDjuFw3LjZ9VS0idt
1Dk+MF8LMyiHtnu5zT7W+QIDAQABoEUwQwYJKoZIhvcNAQkOMTYwNDAyBgNVHREE
KzApgg5ycy14eHgtaG1iLTIwMYIXcnMteHh4LWhtYi0yMDEueHRhYy5kZXYwDQYJ
KoZIhvcNAQELBQADggEBAH9kfI4ZCJRDF2lKjCjLgj/UaRpdO9yIcWUsQHU6jpSU
meKpjkDgn8zTB8hTJ8C8K5rIp1BbGB8Oe/ppdbgzmIKPLjEKUGxIIkBMdSnPRmAg
BUy+nArMmVGrv1weA7F1E/ECzdR1NeXl6eWLYDbmHIwT1/dkpL7evCE8zYufQb9u
H1/U/zzyWiiOuneL+GzhCh7srQkQCtjiWrnuhjZnANvRSlR+FIYY7PWlY1e2m7go
kL5CRVbSUZaYvknIAgOBJs2fkvyrR+YFlKqzlhN3i9yXdfAC09D0kr0FE9CUedh1
HJsxwMB5S1L2zZXAS0iNqoTTb0wHi3UbKLJIMeQx0RU=
-----END CERTIFICATE REQUEST-----
[root@node1 ~]#

 

 

Cheers! 


Was your question answered? Make sure to mark the answer as the accepted solution.

If you find a reply useful, say thanks by clicking on the thumbs up button.

View solution in original post

3 REPLIES 3

Cloudera Employee

Hey if you are trying to create a CSR for SAN(subjectAltName), check the available parameters in OpenSSL:

https://github.com/openssl/openssl/blob/master/apps/openssl.cnf

Also, share the error you are getting.

Cloudera Employee

@vorraluck, Following is the error I see, which points to the parameter 'SamplePassword123'. You're missing "=" sign in this parameter as the error hints.

 

# openssl req -new -sha256 -nodes -newkey rsa:2048 -config /tmp/openssl.cnf
error on line 13 of /tmp/openssl.cnf
140163633919888:error:0E079065:configuration file routines:DEF_LOAD_BIO:missing equal sign:conf_def.c:345:line 13

 

Change SamplePassword123 to SamplePassword = 123. Once the change is made, both the private key and the CSR file can be created. 

 

[root@node1 ~]# openssl req -new -sha256 -nodes -newkey rsa:2048 -config <(
>
> cat <<-EOF
>
> [req]
>
> default_bits = 2048
>
> prompt = no
>
> default_md = sha256
>
> req_extensions = req_ext
>
> distinguished_name = dn
>
> SamplePassword = 123
>
> [ dn ]
>
> C=TH
>
> ST=Bangkok
>
> L=Chaxxx
>
> O=xtac Public Company Limited
>
> OU=Enterprise Service Support
>
> emailAddress=john.doe@xtac.co.th
>
> CN = rs-xxx-hmb-201.xtac.dev
>
>
>
> [ req_ext ]
>
> subjectAltName = @alt_names
>
>
>
> [ alt_names ]
>
> DNS.1 = rs-xxx-hmb-201
>
> DNS.2 = rs-xxx-hmb-201.xtac.dev
>
>
>
> EOF
>
> )
Generating a 2048 bit RSA private key
.+++
.....................................................................................................................................................................................................................+++
writing new private key to stdout
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC0PnXQOdpbKGso
wNY7K+pYItm3G4/yL7HYjViUzxQsEZasIypZrYIY8KqF64bndEf002YkaHcEDCFR
xr59eBfpmXYWezl89ZeRU2YEL5188ubSrkdo/P0IdBSGAbu1/2WlQ26AyIHTkG96
ppsOa25vbKPdOmPh37ylB0C1ghCk6utib5/HAiIt0X9YqGERfnTVXpo/fRzxSHdb
7eioxFx0CP38Vzo/wXQP2FDwa3bw0MTNNF813ttC0yzRpcFf4ACde2jzFpehgtY0
E3yvq7/gVURibZgg6MSVVrg/dzjlReiRFxQOO4XDcuNn1VLSJ23UOT4wXwszKIe2
e7nNPtb5AgMBAAECggEAEhorzuvgiEM47/DeEzdH4+4sG33DKTmtDOi1OszJY9uo
XEVz3WnVpReWqLiM5fYBvA73NTTgryFgv0vMmeFT1Xw6JeveTDSGMmxD1KvLj179
267xMRQnfY/a99J4vcCWvtBU6s44a70X1SOicwJLJxmsI23X1jmYQqLF1vTnIwjh
of6e6jQWeE1nyrhHctqlyYfFNat6uK8NfJ21PTb4yfjp5dhefgaIK/9qOB9SKMwk
LFXLGVlePBFziadY8spbRl56mcbEC6mgbXff4Zbzy5QhXxQaN38358G5fSGpsgiQ
44rTFrC2PTPzS1HeGpqdAwhqFU5lEXnMVegS43ZeAQKBgQDrngKDgKnXY/HBO9E0
OAzC2j+O6BBalPl65f9l6rhiZo8QwhcJciMyCkgnDxnXb/FkKcBmLx+QJXjYguQ4
zkXMEqCS5Bz+jrwnQrnAh/TIlKyZPxy2qpJUvUJND8DZ7ZMVmBycOPI4gFjoIx/G
U0kPPdgHhdRtL/Uv2XsXBM4/4QKBgQDD1ibpDuvAd2x1EKAEWwj3v/Ee41am+Q9Z
WjFWDmS7jV8EYPqOrYedKyaY0t5ArOOKUHRiOp0VOsTWF7m7NAzwmvdspV0YeShh
qCPuWWOGBATjVOMmPgqKBUn3U67y7pZRX6tpOlcwj8sB6KQRpm9NpLcMSFrDWxEz
oCgLHVXaGQKBgQDQirxC1GB/SfCyTVVvWKTC2hUjUXcYFX9zLZsOA+BLB+dct81Y
CPPp2HvgRldi/au0MdgfGVpgZSo+yCtjs/7HDz2chda74G3cegyawjsARcc2pEuv
ye1Wn2TNfEH/IW3r0QSRqT2KkN8gJ+Z5zUF/AgfxMJzCP45OWbm+t/wtQQKBgCou
Yksor5bRIkdEwXKuuQvECAeDKBLm6mtwhdfnWcMb/C9RRCafMeqkdLfOE5kSpCAS
nD7cKSF9exAyJAsyducMOebo51hyIESIltSr5EflbbgZfKOsEVEROpFPMQuaYD4+
wQj1S/plvnA2z8ANfUPYCqVWoFYbs2TPRlC+jNNhAoGAPgGiUz+4lDvQL62R6xDP
R8OUGhmfB37nQy4NFNaiRxQW9TSdrg09cb3CS04IjyH9QQmetRyhZSXCYCu7H/bf
H/rR5S7/e5WKgtgAIpNhYNXg1p6zoac6cXBYUO4ekf/PR70cFXAQdzFt/sQIExiy
SV6SL1F3ja/sn9/wUXkvZgc=
-----END PRIVATE KEY-----
-----
-----BEGIN CERTIFICATE REQUEST-----
MIIDTDCCAjQCAQAwgcExCzAJBgNVBAYTAlRIMRAwDgYDVQQIDAdCYW5na29rMQ8w
DQYDVQQHDAZDaGF4eHgxJDAiBgNVBAoMG3h0YWMgUHVibGljIENvbXBhbnkgTGlt
aXRlZDEjMCEGA1UECwwaRW50ZXJwcmlzZSBTZXJ2aWNlIFN1cHBvcnQxIjAgBgkq
hkiG9w0BCQEWE2pvaG4uZG9lQHh0YWMuY28udGgxIDAeBgNVBAMMF3JzLXh4eC1o
bWItMjAxLnh0YWMuZGV2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
tD510DnaWyhrKMDWOyvqWCLZtxuP8i+x2I1YlM8ULBGWrCMqWa2CGPCqheuG53RH
9NNmJGh3BAwhUca+fXgX6Zl2Fns5fPWXkVNmBC+dfPLm0q5HaPz9CHQUhgG7tf9l
pUNugMiB05BveqabDmtub2yj3Tpj4d+8pQdAtYIQpOrrYm+fxwIiLdF/WKhhEX50
1V6aP30c8Uh3W+3oqMRcdAj9/Fc6P8F0D9hQ8Gt28NDEzTRfNd7bQtMs0aXBX+AA
nXto8xaXoYLWNBN8r6u/4FVEYm2YIOjElVa4P3c45UXokRcUDjuFw3LjZ9VS0idt
1Dk+MF8LMyiHtnu5zT7W+QIDAQABoEUwQwYJKoZIhvcNAQkOMTYwNDAyBgNVHREE
KzApgg5ycy14eHgtaG1iLTIwMYIXcnMteHh4LWhtYi0yMDEueHRhYy5kZXYwDQYJ
KoZIhvcNAQELBQADggEBAH9kfI4ZCJRDF2lKjCjLgj/UaRpdO9yIcWUsQHU6jpSU
meKpjkDgn8zTB8hTJ8C8K5rIp1BbGB8Oe/ppdbgzmIKPLjEKUGxIIkBMdSnPRmAg
BUy+nArMmVGrv1weA7F1E/ECzdR1NeXl6eWLYDbmHIwT1/dkpL7evCE8zYufQb9u
H1/U/zzyWiiOuneL+GzhCh7srQkQCtjiWrnuhjZnANvRSlR+FIYY7PWlY1e2m7go
kL5CRVbSUZaYvknIAgOBJs2fkvyrR+YFlKqzlhN3i9yXdfAC09D0kr0FE9CUedh1
HJsxwMB5S1L2zZXAS0iNqoTTb0wHi3UbKLJIMeQx0RU=
-----END CERTIFICATE REQUEST-----
[root@node1 ~]#

 

 

Cheers! 


Was your question answered? Make sure to mark the answer as the accepted solution.

If you find a reply useful, say thanks by clicking on the thumbs up button.

View solution in original post

Community Manager

@vorraluck, Has any of the replies helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. 


Regards,

Vidya Sargur,
Community Manager

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Learn more about the Cloudera Community: