Support Questions

Find answers, ask questions, and share your expertise
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

Kafka SSL issue

Expert Contributor

Hello All

- I was able to set up SSL for the Kafka brokers, using OpenSSL.

however, I'm having issues with setting up SSL using the pem file (i.e. SSL certificate - certified by CA, provided by the company)

Here is what i've done - created the server/client keystore & truststore files and imported the provided cert.pem file

keytool -keystore kafka.server.keystore.jks -alias localhost -validity 365 -genkey
keytool -keystore kafka.server.truststore.jks -alias CARoot -import -file cert.pem
keytool -keystore kafka.client.truststore.jks -alias CARoot -import -file cert.pem
keytool -keystore kafka.server.keystore.jks -alias CARoot -import -file cert.pem
keytool -keystore kafka.client.keystore.jks -alias localhost -validity 365 -genkey
keytool -keystore kafka.client.keystore.jks -alias CARoot -import -file cert.pem 

I've a console producer pushing data in to the topic, and gives error as shown below ->

Any ideas on what the issue might be ?

Caused by: Handshake message sequence violation, state = 1, type = 1
at Method)
... 7 more 

thanks for the help in advance!


Expert Contributor

@mqureshi, @Jasper - any ideas on this ?


@Karan Alang

Can you have a look at this ssl_kafka

Super Collaborator

Hi @Karan Along,

Looks you hit the issue with ciphers.

can you please include "-keyalg rsa" to your key tool genkey command,

keytool -keystore kafka.server.keystore.jks -alias localhost -validity 365 -genkey -keyalg rsa

looks there was some issue with openssl ciphers in centos 6.5 (got to know from some website)

however, I use the following script to generate host, client certs (ca.pem,ca.crt are the private, output keys to authorize the keys)

openssl openssl req -new -x509 -keyout ca.pem -out ca.crt -days 365 -sha256
set -x


keytool -keystore ${hstnm}.keystore.jks -alias ${hstnm} -validity 365 -genkey -keyalg rsa -ext SAN=dns:${hstnm},ip:${ipaddr} -storepass changeme -dname "CN=${hstnm}, OU=IT, O=Project Labs, L=Melbourne, ST=Victoria, C=AU" -keypass changeme -keysize 2048

keytool -keystore ${hstnm}.keystore.jks -alias "${hstnm}" -certreq -file ${hstnm}.crtreq -storepass changeme -keypass changeme -ext SAN=dns:${hstnm},ip:${ipaddr}

openssl x509 -req -CA ca.crt -CAkey ca.pem -in ${hstnm}.crtreq -out ${hstnm}.signed -days 365 -CAcreateserial -passin pass:changeme

keytool -keystore ${hstnm}.keystore.jks -alias CARoot -import -file ca.crt -storepass changeme -noprompt

keytool -keystore ${hstnm}.keystore.jks -alias "${hstnm}" -import -file ${hstnm}.signed -storepass changeme -noprompt

keytool -exportcert -keystore ${hstnm}.keystore.jks -alias "${hstnm}" -file ${hstnm}.crt.DER -storepass changeme

openssl x509 -inform der -in ${hstnm}.crt.DER -out ${hstnm}.crt

keytool -delete -alias "${hstnm}" -file ${hstnm}.crt -keystore server.truststore.jks -storepass changeme

keytool -import -alias "${hstnm}" -file ${hstnm}.crt -keystore server.truststore.jks -storepass changeme -noprompt



How do you generate using the script ..interesting!¨!!!

Super Collaborator

Hi @Geoffrey Shelton Okot,

the second snippet generate a key and sign the key and import the common trust store ( incase if you want two way SSL) and then import into the trust store.

<second_script(last snippet)> fqdn_host_name ip_addr

Super Guru

@Karan Alang

You have only imported a CARoot certificate assuming cert.pem is a root certificate. Where is your certificate that was issued to you by your CA? That certificate contains your private key.

follow the steps in this link of "Creating your Own CA".

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.