TLS encryption

If the Kafka cluster is encrypted using a self-signed TLS certificate, you must extract the CA certificate PEM that was used to sign your Kafka cluster's TLS certification.

About this task

You can use the root CA key to create a configuration in the Manager Web Interface. If there is a real TLS certificate (bought from a well-known Certificate Authority) on the Kafka cluster, you don't need to paste the certificate PEM into the Manager Web Interface.

The following steps demonstrate one way to extract the root CA keys for your Kafka configuration. For more information, contact your Kafka cluster administrator.

Procedure

  1. In the config directory of your Kafka cluster, locate the server.properties file.
  2. In the servers.properties file, locate the following lines:
    ssl.keystore.location=/var/private/ssl/kafka.keystore.jks
    ssl.keystore.password=passw0rd
    
  3. Extract the CA Root key from the keystore and paste it in to the Manager Web Interface. The output of this command is what you paste into the "Certificate PEM" section of a notification service configuration.
    $ keytool -exportcert -keystore /var/private/ssl/kafka.keystore.jks -alias caroot -rfc
    The -alias parameter matches the alias given to the CA certification when the CA certification was inserted into the keystore. If you don't know the alias, you can use keytool -list -v -keystore /var/private/ssl/kafka.keystore.jks to list the keys, and look at the aliases and types of keys to see if you can find an appropriate alias. Look for Entry type: trustedCertEntry.