Hi Raghav, If your Kafka broker is configured with *ssl.client.auth=required,* your customer's clients need to provide a keystore. In any case, they need a truststore since your broker is using SSL. For the truststore, you can given them ca-cert, as you mentioned. Client keystore contains a certificate and a private key.
In the round-trip you described, customers generate the keys and give you the certificate signing request, keeping their private key private. You then send them back a signed certificate that goes into their keystore. This is the standard way of signing and is secure. In the single step scenario that you described, you generate the customer's key-pair consisting of certificate and private key. You then need to send them both the signed certificate and the private key. This is less secure. Unlike the round-trip, you now have the private key of the customer. Regards, Rajini On Tue, May 16, 2017 at 10:47 AM, Raghav <raghavas...@gmail.com> wrote: > Hi Rajini > > This was very helpful. I have another questions on similar lines. > > We host Kafka Broker, and we also have our own private CA. We want our > customers to setup their Kafka Clients (Producer and Consumer) using SSL > using *ssl.client.auth=required*. > > Is there a way, we can generate certificate for our clients, sign it using > our private CA, and then hand over our customers these two certificates > (1. ca-cert 2. cert-signed), which if they add to their keystroke and > truststore, they can send message to our Kafka brokers while keeping > *ssl.client.auth=required*. > > We are looking to minimize our customer's pre-setup steps. For example in > normal scenario, customers will need to generate certificate, and hand over > their certificate request to our private CA, which we then sign it, and > send them signed certificate and private CA's certificate. So there is one > round trip. Just wondering if we can reduce this 2 step into 1 step. > > Thanks. > > > > > > > > > > > > On Fri, May 12, 2017 at 8:53 AM, Rajini Sivaram <rajinisiva...@gmail.com> > wrote: > >> Raqhav, >> >> 1. Clients need a keystore if you are using TLS client authentication. To >> enable client authentication, you need to configure ssl.client.auth in >> server.properties. This can be set to required|requested|none. If you >> don't >> enable client authentication, any client will be able to connect to your >> broker. You could alternatively use SASL for client authentication. >> . >> 2. Client keystore is mandatory if ssl.client.auth=required, optional for >> requested and not used for none. The truststore configured on the client >> is >> used to authenticate the server. So you have to provide it unless your >> broker is using certificates signed by a trusted authority. >> >> Hope that helps. >> >> Rajini >> >> On Fri, May 12, 2017 at 11:35 AM, Raghav <raghavas...@gmail.com> wrote: >> >> > Hi >> > >> > I read the documentation here: >> > https://kafka.apache.org/documentation/#security_ssl >> > >> > I have few questions about trust store and keystore based on this >> scenario: >> > >> > We have 5 Kafka Brokers in our cluster. We want our clients to write to >> our >> > Kafka brokers in a secure way. Suppose, we also host a private CA as >> > mentioned in the documentation above, and provide our clients the >> *ca-cert* >> > file, which they add it to their trust store. >> > >> > 1. Do we require our clients to generate their certificate and have it >> > signed by our private CA, and add it to their keystore? >> > >> > 2. When is keystore used by clients, and when is truststore used by >> clients >> > ? >> > >> > >> > Thanks. >> > >> > -- >> > R >> > >> > > > > -- > Raghav >
