If the Kafka cluster is encrypted using a self-signed TLS certificate, you must extract
the CA certificate PEM that was used to sign your Kafka cluster's TLS certification.
About this task
You can use the root CA key to create a configuration in the Manager Web Interface. If there is a
real TLS certificate (bought from a well-known Certificate Authority) on the Kafka cluster, you
don't need to paste the certificate PEM into the Manager Web Interface.
The following steps demonstrate one way to extract the root CA keys for your Kafka configuration.
For more information, contact your Kafka cluster administrator.
Procedure
-
In the config directory of your Kafka cluster, locate the
server.properties
file.
-
In the
servers.properties file, locate the following lines:
ssl.keystore.location=/var/private/ssl/kafka.keystore.jks
ssl.keystore.password=passw0rd
-
Extract the CA Root key from the keystore and paste it in to the Manager Web Interface. The
output of this command is what you paste into the "Certificate PEM" section of a notification
service configuration.
$ keytool -exportcert -keystore /var/private/ssl/kafka.keystore.jks -alias caroot -rfc
The
-alias parameter matches the alias given to the CA certification when the CA
certification was inserted into the keystore. If you don't know the alias, you can use
keytool -list -v -keystore /var/private/ssl/kafka.keystore.jks to list the keys,
and look at the aliases and types of keys to see if you can find an appropriate alias. Look for
Entry type: trustedCertEntry.