Kafka Command Line Tools

Using Mutual TLS on the Client Side with Kafka Command Line Tools

How to use TLS, client authentication, and CA certificates in Kafka Command Line Tools

Create a private key and request a certificate for your Kafka Command Line Tools client

Before you can teach your client to speak TLS, you will need a certificate issued by a trusted certificate authority (CA). If your organization already runs its own CA and you have a private key and certificate for your Kafka Command Line Tools client, along with your CA's root certificate, you can skip to the next step.

To request a certificate from your CA using the step CLI, bootstrap your CA with step ca bootstrap and run the following command (sub the client name for the actual name / DNS name of your Kafka Command Line Tools client).

$ step ca certificate "myuser" client.crt client.key

Your certificate and private key will be saved in client.crt and client.key respectively.

Request a copy of your CA root certificate, which will be used to make sure each application can trust certificates presented by other applications.

$ step ca root ca.crt

Your certificate will be saved in ca.crt.

Open a connection from Kafka Command Line Tools using mutual TLS

Now, we need only to configure our Kafka Command Line Tools client to make authenticated requests using our certificate and private key. The CA root certificate will be used to verify that the client can trust the certificate presented by the server.

Use openssl to package up the client private key and certificate into PKCS12 format. You'll be prompted to create a password here. Hold on to this, as you'll need it in the next step and in configuration later.

$ openssl pkcs12 -export -in client.crt -inkey client.key -name myuser > client.p12

Next, use keytool to create a Java KeyStore (JKS) with the certificate and key. You'll be prompted to create a new password for the resulting file as well as enter the password for the PKCS12 file from the previous step. Hang onto the new JKS password for use in configuration below.

$ keytool -importkeystore -srckeystore client.p12 -destkeystore kafka.client.keystore.jks -srcstoretype pkcs12 -alias myuser

Note: It's safe to ignore the following warning from keytool.

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore client.p12 -destkeystore kafka.client.keystore.jks -srcstoretype pkcs12".

You'll also need a trust store in JKS format containing the root certificate from your CA. The command line tools will use this trust store to make sure the certificate presented by the broker was signed by your CA. Create the password and agree to trust your CA certificate (type "yes"). Hold onto thie password for this one as well.

$ keytool -keystore kafka.client.truststore.jks -alias CARoot -import -file ca.crt

Copy your Java KeyStore files into place.

$ sudo mkdir -p /var/private/ssl $ sudo cp kafka.client.*.jks /var/private/ssl/ $ sudo chown kafka:kafka /var/private/ssl/kafka.client.*.jks

Create a new properties file named client.properties that you'll reference when you use the command line tools to open a connection. Configure it to use your key store and trust store JKS files.

ssl.keystore.password=<keystore password>
ssl.key.password=<pkcs12 password>
ssl.truststore.password=<truststore password>

Since this file contains passwords for your key stores, we'll want to tighten up filesystem permissions.

$ chmod 0600 client.properties

Finally, use your client.properties file when making connections to a broker from the Kafka command line tools.

$ kafka-console-consumer --bootstrap-server myserver.internal.net:443 -topic mytopic --consumer.config client.properties $ kafka-console-producer --broker-list myserver.internal.net:443 -topic mytopic --producer.config client.properties

Automate certificate renewal

By default, step-ca issues certificates with a 24 hour expiration. Short-lived certificates have many benefits but also require that you renew your certificates each day before they expire. How you renew certificates is often dependent on how you deploy your application. See the step-ca certificate lifecycle management docs for more information.

All documentation content from the Hello mTLS project is licensed under Creative Commons Attribution 4.0 International (CC BY 4.0).

Creative Commons License

Connect to a Server from Kafka Command Line Tools