[jira] [Commented] (KAFKA-9308) Misses SAN after certificate creation

Tue, 17 Dec 2019 07:43:05 -0800 


    [ 
https://issues.apache.org/jira/browse/KAFKA-9308?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16998337#comment-16998337
 ] 

Sönke Liebau commented on KAFKA-9308:
-------------------------------------

I believe this is due to the fact that the x509 module of openssl only adds 
extensions to signed certificates that are passed via the -extfile parameter. 
Any extensions that are requested in the CSR are ignored.
For this to work you'd need to create a proper CA with signing profiles like 
shown here: https://stackoverflow.com/a/21340898/7183757

Might make sense to update the docs for this.

> Misses SAN after certificate creation
> -------------------------------------
>
>                 Key: KAFKA-9308
>                 URL: https://issues.apache.org/jira/browse/KAFKA-9308
>             Project: Kafka
>          Issue Type: Bug
>          Components: documentation
>    Affects Versions: 2.3.1
>            Reporter: Agostino Sarubbo
>            Priority: Minor
>
> Hello,
> I followed the documentation to use kafka with ssl, however the entire 
> 'procedure' loses at the end the specified SAN.
> To test, run (after the first keytool command and after the latest):
>  
> {code:java}
> keytool -list -v -keystore server.keystore.jks
> {code}
> Reference:
>  [http://kafka.apache.org/documentation.html#security_ssl]
>  
> {code:java}
> #!/bin/bash
> #Step 1
> keytool -keystore server.keystore.jks -alias localhost -validity 365 -keyalg 
> RSA -genkey -ext SAN=DNS:test.test.com
> #Step 2
> openssl req -new -x509 -keyout ca-key -out ca-cert -days 365
> keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert
> keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert
> #Step 3
> keytool -keystore server.keystore.jks -alias localhost -certreq -file 
> cert-file 
> openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed 
> -days 365 -CAcreateserial -passin pass:test1234 
> keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert 
> keytool -keystore server.keystore.jks -alias localhost -import -file 
> cert-signed
> {code}
>  
> In the detail, the SAN is losed after:
> {code:java}
> keytool -keystore server.keystore.jks -alias localhost -import -file 
> cert-signed
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to