KafkaSecureInDocker/setup.sh at main · xazme/KafkaSecureInDocker · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
#!/usr/bin/env bash

# Exit immediately if a command exits with a non-zero status,
# if an unset variable is used, or if a pipe fails.
set -euo pipefail

# -----------------------------------------------------------------------------
# Configuration
# -----------------------------------------------------------------------------
PASS="VeryStrongPass123"
CN="kafka"
OUTPUT_DIR="secrets/kafka"

echo "---------------------------------------------------------"
echo " Kafka SSL Certificate Generator"
echo "---------------------------------------------------------"

# Prepare workspace
rm -rf "$OUTPUT_DIR"
mkdir -p "$OUTPUT_DIR"
cd "$OUTPUT_DIR"

############################################
# 1. Create Certificate Authority (CA)
############################################
cat > ca.cnf <<EOF
[ req ]
default_bits       = 4096
prompt             = no
default_md         = sha256
distinguished_name = dn
x509_extensions    = v3_ca

[ dn ]
C  = BY
ST = Grodno
L  = Grodnenskaya Oblast
O  = Volosatie-yaica-ltd
OU = non
CN = ca

[ v3_ca ]
basicConstraints = critical, CA:TRUE
keyUsage = critical, keyCertSign, cRLSign
subjectKeyIdentifier = hash
EOF

echo "[*] Generating CA Private Key and Certificate..."
openssl req -new -x509 \
  -keyout ca-key.pem -out ca-cert.pem \
  -days 365 -config ca.cnf \
  -passout pass:${PASS}

############################################
# 2. Generate Broker CSR with SAN
############################################
cat > broker.cnf <<EOF
[ req ]
default_bits       = 2048
prompt             = no
default_md         = sha256
distinguished_name = dn
req_extensions     = v3_req

[ dn ]
C  = BY
ST = Grodno
L  = Grodnenskaya Oblast
O  = Volosatie-yaica-ltd
OU = non
CN = ${CN}

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = ${CN}
DNS.2 = localhost
IP.1  = 127.0.0.1
EOF

echo "[*] Generating Broker Private Key and CSR..."
openssl req -new -newkey rsa:2048 \
  -keyout broker-key.pem -out broker-csr.pem \
  -config broker.cnf -passout pass:${PASS}

############################################
# 3. Sign Broker Certificate with CA
############################################
echo "[*] Signing Broker Certificate with CA..."
openssl x509 -req -in broker-csr.pem -out broker-cert.pem \
  -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial \
  -days 365 -passin pass:${PASS} \
  -extfile broker.cnf -extensions v3_req

############################################
# 4. Export to PKCS12 and JKS (Java KeyStore)
############################################
echo "[*] Building fullchain and exporting to PKCS12..."
cat broker-cert.pem ca-cert.pem > broker-fullchain.pem

openssl pkcs12 -export \
  -in broker-fullchain.pem -inkey broker-key.pem \
  -out broker.p12 -name kafka-broker \
  -passin pass:${PASS} -passout pass:${PASS}

echo "[*] Importing into Kafka Keystore (JKS)..."
keytool -importkeystore \
  -srckeystore broker.p12 -srcstoretype PKCS12 -srcstorepass ${PASS} \
  -destkeystore kafka.keystore.jks -deststoretype JKS -deststorepass ${PASS} \
  -noprompt

echo "[*] Creating Kafka Truststore (JKS)..."
keytool -import -file ca-cert.pem \
  -keystore kafka.truststore.jks \
  -alias CARoot -storepass ${PASS} -noprompt

echo "---------------------------------------------------------"
echo " SUCCESS: Certificates generated in $OUTPUT_DIR"
echo "---------------------------------------------------------"
ls -1