Enable TLS encryption for Kafka broker communication

In SSL/TLS communication, a keystore and a truststore are used to store digital certificates and private keys for secure communication between client and server.

A keystore is used to store digital certificates and private keys that are used to identify the server to the clients. In a Kafka context, the keystore typically contains the broker's own SSL/TLS certificate and private key. The keystore is password protected and the password is required to access the private key.

A truststore, on the other hand, is used to store digital certificates of trusted Certificate Authorities (CA) and trusted server certificates. In a Kafka context, the truststore typically contains the CA certificate or certificates that signed the broker's certificate. The truststore is also password protected.

When a client connects to a server using SSL/TLS, the server presents its certificate to the client to prove its identity. The client can then use its truststore to verify the server's certificate. If the certificate is trusted, the client can establish a secure connection with the server.

Similarly, when a server needs to authenticate a client, it can ask the client to present its own SSL/TLS certificate. The server can then use its truststore to verify the client's certificate. If the certificate is trusted, the server can establish a secure connection with the client.

The keytool comes with the JDK installation.

Import the CA certificate into the broker's truststore:

root@kafka-vm1:~/# keytool -keystore kafka.server.truststore.jks -alias CARoot -import -file /tls/ca-cert.pem
root@kafka-vm1:~/# keytool -keystore kafka.server.keystore.jks -alias localhost -import -file /tls/server-cert.pem 
Enter keystore password:  
Re-enter new password: 
Owner: CN=kafka1.impresst.com, OU=dev, O=Internet Widgits Pty Ltd, ST=baltimore, C=us
Issuer: CN=kafka1.impresst.com, OU=dev, O=impresst, ST=baltimore, C=us
Serial number: 1
Valid from: Tue May 02 05:29:50 UTC 2023 until: Mon Sep 02 05:29:50 UTC 3022
Certificate fingerprints:
     SHA1: 34:F1:CA:64:A6:81:7D:D8:C8:FD:32:72:30:C8:D0:6B:8C:DB:60:DB
     SHA256: F7:9B:89:07:72:E4:51:61:48:C8:4C:45:CA:33:DF:3B:D1:61:A1:A3:54:67:44:E4:91:51:EC:F5:4F:C7:3B:49
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1
Trust this certificate? [no]:  yes
Certificate was added to keystore

those keystore will be located on the directory where the command is being run

root@kafka-vm1:~/# ls
kafka.server.keystore.jks  
kafka.server.truststore.jks

Create PKCS12 file: PKCS #12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust.

root@kafka-vm1:/tls# 
openssl pkcs12 -export -in /tls/server-cert.pem -inkey /tls/server-key.pem  -out server.p12 -name kafkapkcs -CAfile /tls/ca-cert.pem -caname CARoot -password pass:GJZH*Sh%x26EYA

here same pass is used for keystore as well as pkcs12 file

Next importing the pkcs key file:

keytool -importkeystore -destkeystore kafka.server.keystore.jks -deststoretype JKS -deststorepass "tcCysxnMJ8@WW#" -srckeystore /opt/store/server.p12  -srcstoretype PKCS12 -srcstorepass "tcCysxnMJ8@WW#" -alias kafkapkcs
Importing keystore /opt/store/server.p12 to kafka.server.keystore.jks...