Kafka SSL


The process below has been tested with version Kafka 2.5

$ bin/kafka-server-start.sh --version
[2020-06-21 18:51:57,858] INFO Registered kafka:type=kafka.Log4jController MBean (kafka.utils.Log4jControllerRegistration$)
2.5.0 (Commit:66563e712b0b9f84)


BROKER CERT

================================================================================

# Fill in all details except common name. Type "." in common name which sets it to blank.

# Reuse the ca-cert and ca-key to sign all brokers and clients keystores

openssl req -new -x509 -keyout ca-key -out ca-cert -days 366
keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert


export HOSTNAME=$(hostname)
keytool -keystore server.keystore.jks -alias $HOSTNAME -validity 366 -keyalg RSA -genkey -deststoretype pkcs12 -storepass test1234

# Generate certificate sign request file
keytool -keystore server.keystore.jks -alias $HOSTNAME -certreq -file cert-file

# Create signed cert 
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 366 -CAcreateserial -passin pass:test1234

keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert
keytool -keystore server.keystore.jks -alias $HOSTNAME -import -file cert-signed

# View certificates inside the keystore
keytool -list -v -keystore server.keystore.jks



CREATE CLIENT CERT

================================================================================

mkdir client1 && cd client1
export CLIENTNAME=$(hostname)
echo $CLIENTNAME
keytool -keystore client.keystore.jks -alias $CLIENTNAME -validity 366 -keyalg RSA -genkey -deststoretype pkcs12 -storepass test1234
keytool -list -v -keystore client.keystore.jks
keytool -keystore client.truststore.jks -alias CARoot -import -file ../ca-cert
keytool -keystore client.keystore.jks -alias CARoot -import -file ../ca-cert
keytool -keystore client.keystore.jks -alias $CLIENTNAME -certreq -file cert-file
openssl x509 -req -CA ../ca-cert -CAkey ../ca-key -in cert-file -out cert-signed -days 366 -CAcreateserial -passin pass:test1234
keytool -keystore client.keystore.jks -alias $CLIENTNAME -import -file cert-signed
keytool -list -v -keystore client.keystore.jks


#### output of above list command ####

Enter keystore password:  
Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: en01.local
Creation date: 21 Jun, 2020
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=abul basar, OU=tech, O=einext, L=bang, ST=ka, C=IN
Issuer: EMAILADDRESS=test@test.com, OU=tech, O=einext, L=Bang, ST=KA, C=IN
Serial number: e75e32f73246fd8c
Valid from: Sun Jun 21 17:28:04 IST 2020 until: Tue Jun 22 17:28:04 IST 2021
Certificate fingerprints:
   MD5:  CE:53:79:7B:B1:22:1C:DA:CC:B8:CA:C4:DF:87:8D:26
  SHA1: 15:33:FD:56:21:A7:EC:40:B6:C6:03:3F:7E:23:68:15:E1:19:CF:62
  SHA256: CF:BD:6B:53:2B:53:F2:2F:72:52:A0:0F:2C:A3:D9:FB:6F:2E:31:D1:12:F1:2F:88:EE:BC:C0:D1:05:25:2C:DA
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1
Certificate[2]:
Owner: EMAILADDRESS=test@test.com, OU=tech, O=einext, L=Bang, ST=KA, C=IN
Issuer: EMAILADDRESS=test@test.com, OU=tech, O=einext, L=Bang, ST=KA, C=IN
Serial number: f8a4a53af011dda3
Valid from: Sun Jun 21 17:26:48 IST 2020 until: Tue Jun 22 17:26:48 IST 2021
Certificate fingerprints:
  MD5:  1A:63:5C:76:70:C4:18:32:96:EE:01:F5:E9:A4:6E:46
  SHA1: 90:6F:55:65:DF:E6:DE:CB:32:77:A3:F2:1F:F5:37:D7:B6:0F:23:F6
  SHA256: 14:E0:BF:B7:88:2B:87:EA:AC:AB:F7:49:BD:23:84:76:9D:CB:8A:08:2B:A2:41:9E:2A:EE:E2:77:BA:40:4D:25
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1


*******************************************
*******************************************


Alias name: caroot
Creation date: 21 Jun, 2020
Entry type: trustedCertEntry

Owner: EMAILADDRESS=test@test.com, OU=tech, O=einext, L=Bang, ST=KA, C=IN
Issuer: EMAILADDRESS=test@test.com, OU=tech, O=einext, L=Bang, ST=KA, C=IN
Serial number: f8a4a53af011dda3
Valid from: Sun Jun 21 17:26:48 IST 2020 until: Tue Jun 22 17:26:48 IST 2021
Certificate fingerprints:
  MD5:  1A:63:5C:76:70:C4:18:32:96:EE:01:F5:E9:A4:6E:46
  SHA1: 90:6F:55:65:DF:E6:DE:CB:32:77:A3:F2:1F:F5:37:D7:B6:0F:23:F6
  SHA256: 14:E0:BF:B7:88:2B:87:EA:AC:AB:F7:49:BD:23:84:76:9D:CB:8A:08:2B:A2:41:9E:2A:EE:E2:77:BA:40:4D:25
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1


*******************************************
*******************************************





Broker config: config/server.properties

===============================================================================

# Todo: Replace EN01.local with the actual hostname. 
listeners=SSL://EN01.local:9092
advertised.listeners=SSL://EN01.local:9092

ssl.client.auth=required
# Todo: Set the file location
ssl.keystore.location=/Users/abasar/Downloads/kafka-ssl/server.keystore.jks
ssl.keystore.password=test1234
ssl.key.password=test1234
ssl.truststore.location=/Users/abasar/Downloads/kafka-ssl/server.truststore.jks
ssl.truststore.password=test1234

ssl.keystore.type=JKS
ssl.truststore.type=JKS
ssl.secure.random.implementation=SHA1PRNG
ssl.endpoint.identification.algorithm=

# listener.security.protocol.map=SSL:SSL
# Enable internode communication over SSL
security.inter.broker.protocol=SSL

# inter.broker.listener.name=SSL



TEST BROKER WITH SSL ENABLED

After you start the broker, test SSL config.

$ openssl s_client -debug -connect $HOSTNAME:9092 -tls1_2
CONNECTED(00000005)
write to 0x7f9daf504a50 [0x7f9db0814803] (196 bytes => 196 (0xC4))
0000 - 16 03 01 00 bf 01 00 00-bb 03 03 3b 1d 02 ec ee   ...........;....
0010 - b0 96 25 8c bf fc 67 05-2b f2 63 0c c6 24 22 95   ..%...g.+.c..$".
0020 - 30 41 0e 28 8f 02 77 a8-a5 ca e8 00 00 5c c0 30   0A.(..w......\.0
0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 9f 00 6b 00 39   .,.(.$.......k.9
0040 - cc a9 cc a8 cc aa ff 85-00 c4 00 88 00 81 00 9d   ................
0050 - 00 3d 00 35 00 c0 00 84-c0 2f c0 2b c0 27 c0 23   .=.5...../.+.'.#
0060 - c0 13 c0 09 00 9e 00 67-00 33 00 be 00 45 00 9c   .......g.3...E..
0070 - 00 3c 00 2f 00 ba 00 41-c0 11 c0 07 00 05 00 04   .<./...A........
0080 - c0 12 c0 08 00 16 00 0a-00 ff 01 00 00 36 00 0b   .............6..
0090 - 00 02 01 00 00 0a 00 08-00 06 00 1d 00 17 00 18   ................
00a0 - 00 23 00 00 00 0d 00 1c-00 1a 06 01 06 03 ef ef   .#..............
00b0 - 05 01 05 03 04 01 04 03-ee ee ed ed 03 01 03 03   ................
00c0 - 02 01 02 03                                       ....
read from 0x7f9daf504a50 [0x7f9db0810603] (5 bytes => 5 (0x5))
0000 - 16 03 03 08 d3                                    .....
read from 0x7f9daf504a50 [0x7f9db0810608] (2259 bytes => 2259 (0x8D3))
0000 - 02 00 00 4d 03 03 5e ef-5b 46 1a 28 83 24 03 00   ...M..^.[F.(.$..
0010 - 8b 9e ec 97 b7 5f 65 0a-f5 22 b6 22 ea e7 fc 78   ....._e.."."...x
0020 - fc 5b 7a 11 3a 75 20 5e-ef 5b 46 42 06 66 d0 bb   .[z.:u ^.[FB.f..
0030 - d6 44 a7 a1 87 62 69 b2-4a ce c3 bf 35 7a 99 2d   .D...bi.J...5z.-
0040 - 72 0f d8 71 16 77 ce c0-30 00 00 05 ff 01 00 01   r..q.w..0.......
0050 - 00 0b 00 06 9c 00 06 99-00 03 45 30 82 03 41 30   ..........E0..A0
0060 - 82 02 29 02 09 00 e7 5e-32 f7 32 46 fd 8c 30 0d   ..)....^2.2F..0.
0070 - 06 09 2a 86 48 86 f7 0d-01 01 05 05 00 30 67 31   ..*.H........0g1
0080 - 0b 30 09 06 03 55 04 06-13 02 49 4e 31 0b 30 09   .0...U....IN1.0.
0090 - 06 03 55 04 08 0c 02 4b-41 31 0d 30 0b 06 03 55   ..U....KA1.0...U
00a0 - 04 07 0c 04 42 61 6e 67-31 0f 30 0d 06 03 55 04   ....Bang1.0...U.
00b0 - 0a 0c 06 65 69 6e 65 78-74 31 0d 30 0b 06 03 55   ...einext1.0...U
00c0 - 04 0b 0c 04 74 65 63 68-31 1c 30 1a 06 09 2a 86   ....tech1.0...*.
00d0 - 48 86 f7 0d 01 09 01 16-0d 74 65 73 74 40 74 65   H........test@te
00e0 - 73 74 2e 63 6f 6d 30 1e-17 0d 32 30 30 36 32 31   st.com0...200621
00f0 - 31 31 35 38 30 34 5a 17-0d 32 31 30 36 32 32 31   115804Z..2106221
0100 - 31 35 38 30 34 5a 30 5e-31 0b 30 09 06 03 55 04   15804Z0^1.0...U.
0110 - 06 13 02 49 4e 31 0b 30-09 06 03 55 04 08 13 02   ...IN1.0...U....
0120 - 6b 61 31 0d 30 0b 06 03-55 04 07 13 04 62 61 6e   ka1.0...U....ban
0130 - 67 31 0f 30 0d 06 03 55-04 0a 13 06 65 69 6e 65   g1.0...U....eine
0140 - 78 74 31 0d 30 0b 06 03-55 04 0b 13 04 74 65 63   xt1.0...U....tec
0150 - 68 31 13 30 11 06 03 55-04 03 13 0a 61 62 75 6c   h1.0...U....abul
0160 - 20 62 61 73 61 72 30 82-01 22 30 0d 06 09 2a 86    basar0.."0...*.
0170 - 48 86 f7 0d 01 01 01 05-00 03 82 01 0f 00 30 82   H.............0.
0180 - 01 0a 02 82 01 01 00 c5-af f2 e7 b1 e7 fb 97 f0   ................
0190 - cf 5b d7 60 dc 90 db 3b-95 53 13 93 5f c4 d6 47   .[.`...;.S.._..G
01a0 - d1 c7 f0 7f 07 a4 67 84-0f a8 76 9d ef 53 ca 40   ......g...v..S.@
01b0 - 29 51 96 e6 e3 58 d7 74-3e 83 38 36 4b 9a 50 fc   )Q...X.t>.86K.P.
01c0 - 41 69 95 0c 45 7e 4a ab-5f 78 fa a4 f1 58 9f c6   Ai..E~J._x...X..
01d0 - 87 f7 c5 ad 99 c0 6f 8f-a2 8b 3a 4d 05 6e 7d 0e   ......o...:M.n}.
01e0 - 66 00 d6 41 a5 bc fc 00-cb 5a a9 49 ab 40 8a b8   f..A.....Z.I.@..
01f0 - bd 60 b0 df 60 0d 24 7f-0c ee d5 a4 ac bf 2b 9e   .`..`.$.......+.
0200 - df 41 46 8e d6 98 25 ee-dc 30 5f 1d 6b f2 fc f9   .AF...%..0_.k...
0210 - db cf 58 ac 04 74 84 9f-57 f7 49 c7 78 85 fe b9   ..X..t..W.I.x...
0220 - 9a d3 8a d7 aa 1e 09 85-ac 27 da e1 96 29 1c f8   .........'...)..
0230 - 18 e2 eb 74 b3 51 21 23-48 79 af 76 9f d5 1d 04   ...t.Q!#Hy.v....
0240 - 80 7b ac 00 57 b0 fb 55-e9 c1 fb ef f1 4d 47 41   .{..W..U.....MGA
0250 - 32 b1 75 0b 22 86 60 61-1b 4a f0 65 75 73 9a b2   2.u.".`a.J.eus..
0260 - 3c d7 e0 bd e5 05 2c e5-07 ef 71 92 07 d3 3c a1   <.....,...q...<.
0270 - 58 c3 4d da ec 4c 75 91-54 f4 5a a8 f9 4b e5 8f   X.M..Lu.T.Z..K..
0280 - 00 53 17 ec 30 c7 83 02-03 01 00 01 30 0d 06 09   .S..0.......0...
0290 - 2a 86 48 86 f7 0d 01 01-05 05 00 03 82 01 01 00   *.H.............
02a0 - bf 97 50 3e 57 b1 7b 24-3e 97 61 e0 71 e2 d7 e7   ..P>W.{$>.a.q...
02b0 - bf 60 2a 5e 79 98 f2 2e-dd 05 ff f7 1c 00 ee 1a   .`*^y...........
02c0 - 15 c1 35 c7 c8 c8 eb 28-ff ee c2 90 3f 96 1a 3b   ..5....(....?..;
02d0 - 48 cb d4 14 c6 af b9 bf-de ae 2d cc 97 2e 02 4d   H.........-....M
02e0 - 5f 1d 9e 14 a5 ff 04 24-4a 91 2e a4 e7 c4 05 04   _......$J.......
02f0 - 0f 87 02 d6 25 04 67 1f-aa 1a 4f 8e 84 0a da bd   ....%.g...O.....
0300 - d3 c7 a8 9f 6c aa 89 fd-86 48 4d d9 7e 91 d3 59   ....l....HM.~..Y
0310 - bf d1 4d b8 dc 57 fd 3b-32 b8 dc e7 ac 5e 2f e9   ..M..W.;2....^/.
0320 - 61 40 17 3c 14 7d 1f 00-6c 52 25 b9 b4 dc 22 59   a@.<.}..lR%..."Y
0330 - c5 a2 0b 6e 97 81 6d 35-5a cc 87 0c 0a 01 49 29   ...n..m5Z.....I)
0340 - 69 fe 48 e8 ac 75 60 05-6f 2c db 72 3e 5b e9 8e   i.H..u`.o,.r>[..
0350 - 5f fb 35 6b 22 77 2a e9-02 eb 94 f6 70 a7 c4 35   _.5k"w*.....p..5
0360 - 61 ca a7 d4 8d 8e 76 c2-e4 14 f8 ce d5 e8 35 94   a.....v.......5.
0370 - 71 66 21 5e b0 2d 5d 89-7d 77 9f 0a 37 0b c6 b2   qf!^.-].}w..7...
0380 - e7 14 e8 ea f8 d9 a6 6f-e2 c1 4b 9c 1f 75 69 b8   .......o..K..ui.
0390 - d7 65 82 23 f0 92 41 5d-4f fb ae c6 34 f5 50 55   .e.#..A]O...4.PU
03a0 - 00 03 4e 30 82 03 4a 30-82 02 32 02 09 00 f8 a4   ..N0..J0..2.....
03b0 - a5 3a f0 11 dd a3 30 0d-06 09 2a 86 48 86 f7 0d   .:....0...*.H...
03c0 - 01 01 0b 05 00 30 67 31-0b 30 09 06 03 55 04 06   .....0g1.0...U..
03d0 - 13 02 49 4e 31 0b 30 09-06 03 55 04 08 0c 02 4b   ..IN1.0...U....K
03e0 - 41 31 0d 30 0b 06 03 55-04 07 0c 04 42 61 6e 67   A1.0...U....Bang
03f0 - 31 0f 30 0d 06 03 55 04-0a 0c 06 65 69 6e 65 78   1.0...U....einex
0400 - 74 31 0d 30 0b 06 03 55-04 0b 0c 04 74 65 63 68   t1.0...U....tech
0410 - 31 1c 30 1a 06 09 2a 86-48 86 f7 0d 01 09 01 16   1.0...*.H.......
0420 - 0d 74 65 73 74 40 74 65-73 74 2e 63 6f 6d 30 1e   .test@test.com0.
0430 - 17 0d 32 30 30 36 32 31-31 31 35 36 34 38 5a 17   ..200621115648Z.
0440 - 0d 32 31 30 36 32 32 31-31 35 36 34 38 5a 30 67   .210622115648Z0g
0450 - 31 0b 30 09 06 03 55 04-06 13 02 49 4e 31 0b 30   1.0...U....IN1.0
0460 - 09 06 03 55 04 08 0c 02-4b 41 31 0d 30 0b 06 03   ...U....KA1.0...
0470 - 55 04 07 0c 04 42 61 6e-67 31 0f 30 0d 06 03 55   U....Bang1.0...U
0480 - 04 0a 0c 06 65 69 6e 65-78 74 31 0d 30 0b 06 03   ....einext1.0...
0490 - 55 04 0b 0c 04 74 65 63-68 31 1c 30 1a 06 09 2a   U....tech1.0...*
04a0 - 86 48 86 f7 0d 01 09 01-16 0d 74 65 73 74 40 74   .H........test@t
04b0 - 65 73 74 2e 63 6f 6d 30-82 01 22 30 0d 06 09 2a   est.com0.."0...*
04c0 - 86 48 86 f7 0d 01 01 01-05 00 03 82 01 0f 00 30   .H.............0
04d0 - 82 01 0a 02 82 01 01 00-c9 e1 12 30 4c 19 3d a4   ...........0L.=.
04e0 - c8 16 9c 85 6f 18 af 44-20 63 ff 2b d8 bc 18 96   ....o..D c.+....
04f0 - d9 7a 01 92 72 56 94 7e-68 5c 31 9a b0 82 d1 e0   .z..rV.~h\1.....
0500 - 6a 0f 16 b7 50 02 71 9c-7b 9e 4b e9 b9 3d 5c ef   j...P.q.{.K..=\.
0510 - 08 83 31 3a 69 5b ca 9f-fc 91 ab 84 a9 a7 07 fd   ..1:i[..........
0520 - 9a 21 16 38 0a 0a 7a 80-b2 78 e8 2b 4c d4 1c 44   .!.8..z..x.+L..D
0530 - e9 e1 77 7c 37 32 86 e3-b8 d5 e4 57 42 09 f0 39   ..w|72.....WB..9
0540 - e0 8a 8c 44 94 62 a5 72-cb a2 c3 d5 77 41 f3 95   ...D.b.r....wA..
0550 - 3e 8e 71 a5 18 55 b3 3a-8d 75 9a 20 34 04 95 33   >.q..U.:.u. 4..3
0560 - 6f a8 a2 99 24 bb 78 03-36 f2 23 9f ac 9b 5b 8b   o...$.x.6.#...[.
0570 - f8 7a 36 e8 ac 6e 32 95-93 90 c3 68 ef 6c d4 eb   .z6..n2....h.l..
0580 - 34 1f 19 d3 97 b0 05 f3-a4 05 9c 89 04 7f a4 d1   4...............
0590 - 23 ca a5 a8 ab 6e b6 3b-ca 3f 41 9c 0a 12 9c d8   #....n.;.?A.....
05a0 - 85 dc cb 31 05 1b 14 ed-5e f2 3d 5c 7c 1f a0 fa   ...1....^.=\|...
05b0 - e5 78 02 29 e3 d2 c5 6c-99 e9 48 d9 a1 b6 2f 0c   .x.)...l..H.../.
05c0 - cc 75 a1 3a ad 71 d4 de-e4 7f 50 09 7d 50 f6 4e   .u.:.q....P.}P.N
05d0 - 10 2d 76 02 e4 02 1c 8f-02 03 01 00 01 30 0d 06   .-v..........0..
05e0 - 09 2a 86 48 86 f7 0d 01-01 0b 05 00 03 82 01 01   .*.H............
05f0 - 00 ba 8d 50 d6 b2 61 3d-0b 94 e1 8f ab d4 d0 33   ...P..a=.......3
0600 - 7e 07 e6 9f 80 a7 89 1b-73 39 b9 99 df 61 34 70   ~.......s9...a4p
0610 - eb 34 1c 9d 61 da 09 e6-81 e3 c4 29 93 f2 48 27   .4..a......)..H'
0620 - db 70 1c 75 ce 40 c8 d9-a7 69 4f d6 da a1 49 f6   .p.u.@...iO...I.
0630 - a3 1c ca a3 47 99 88 03-a9 ed 94 42 46 c1 61 df   ....G......BF.a.
0640 - 8a 9a 37 df e2 82 fc d9-a2 48 24 37 7d ee 0e 66   ..7......H$7}..f
0650 - 60 91 8e 1c 62 6b 27 b6-a0 38 11 f7 39 b9 52 6b   `...bk'..8..9.Rk
0660 - 63 66 15 e3 d3 5b 2f 7a-c6 86 16 8f eb 85 e6 61   cf...[/z.......a
0670 - c4 1c 65 e0 f6 5d e0 d8-4d 94 18 ca 00 65 eb 26   ..e..]..M....e.&
0680 - 4c 49 64 3b 50 77 2c 5f-1c 43 a4 1a b7 62 2f 95   LId;Pw,_.C...b/.
0690 - ec ad 72 86 48 9f b3 d7-e5 48 bb 1d 8d 17 de 4b   ..r.H....H.....K
06a0 - 9e 06 39 e5 f1 3b 7e 30-fc 74 3f 7b 20 96 b9 df   ..9..;~0.t?{ ...
06b0 - 8f 6d ca 78 36 56 2b cd-24 29 1b 8c a3 a0 4e b3   .m.x6V+.$)....N.
06c0 - df 2f 39 d3 32 ea 62 d4-8f 0f 56 3a a7 7a e4 a5   ./9.2.b...V:.z..
06d0 - cf d0 26 24 38 52 20 ca-9c c5 05 1b 6a 10 b7 49   ..&$8R .....j..I
06e0 - c8 5c 3b da 6b 66 fa a9-0a 41 42 2a b8 a8 fe 84   .\;.kf...AB*....
06f0 - a4 0c 00 01 49 03 00 17-41 04 44 f5 ca 34 81 4f   ....I...A.D..4.O
0700 - 35 d1 ba 0d b2 38 fa 32-65 b9 36 02 94 84 a0 99   5....8.2e.6.....
0710 - d5 b0 de 80 ea 10 70 01-50 ad e8 ac 55 5b 46 3b   ......p.P...U[F;
0720 - 68 e2 06 44 9d 47 ab d4-42 bf 55 24 86 ac fa bb   h..D.G..B.U$....
0730 - 64 c3 0a 05 a3 6e f2 a8-a1 3a 06 01 01 00 09 82   d....n...:......
0740 - 85 34 53 66 56 9c 67 c4-89 a7 36 8e 7c ef 10 aa   .4SfV.g...6.|...
0750 - c0 fd 5e 5e c1 57 ca 8d-20 2e fc 71 9e d4 70 ce   ..^^.W.. ..q..p.
0760 - 94 3b 68 ca ba 22 49 d9-23 b0 3e 91 77 ef cf ea   .;h.."I.#.>.w...
0770 - b0 79 5a 3f 0e 23 2e e8-e0 d7 47 62 da 91 24 81   .yZ?.#....Gb..$.
0780 - 41 bb 3d 74 f1 ce 93 c2-28 dc bc 9e 19 1b 1e dc   A.=t....(.......
0790 - 30 77 ad a2 99 55 df 6b-ae d7 ee 25 54 6c ab 65   0w...U.k...%Tl.e
07a0 - 11 4a 95 72 20 0a cf 4a-f2 23 c2 ca b5 ee fd 87   .J.r ..J.#......
07b0 - 5e a7 3e 9f 50 41 e2 41-a9 79 ee 43 ca 96 27 ec   ^.>.PA.A.y.C..'.
07c0 - f0 bd 3c 01 40 53 5b d9-46 49 94 4e 95 0d d0 29   ..<.@S[.FI.N...)
07d0 - 4c d7 a2 42 7b d2 5f 8a-20 de 19 7d 6b 10 7b da   L..B{._. ..}k.{.
07e0 - 9c 16 90 67 f0 cd 89 1b-ac 73 5c 29 f0 d9 2c 77   ...g.....s\)..,w
07f0 - e0 08 1c db f8 6d 3a 0c-1f da 1b d5 64 81 6f b3   .....m:.....d.o.
0800 - 6c 0b b7 ae 63 dc c8 b1-9a 48 e0 66 d3 db 5b 2f   l...c....H.f..[/
0810 - d1 ba 93 9a 4f 73 54 88-68 23 87 89 12 e9 50 8a   ....OsT.h#....P.
0820 - d7 63 ad a7 d9 74 e3 84-6a ca df c4 19 de 16 c3   .c...t..j.......
0830 - 40 66 ad 69 e7 c7 ee 40-da 5b f9 25 df 4b 0d 00   @f.i...@.[.%.K..
0840 - 00 8d 03 01 02 40 00 1a-06 03 06 01 05 03 05 01   .....@..........
0850 - 04 03 04 01 04 02 03 03-03 01 03 02 02 03 02 01   ................
0860 - 02 02 00 6b 00 69 30 67-31 0b 30 09 06 03 55 04   ...k.i0g1.0...U.
0870 - 06 13 02 49 4e 31 0b 30-09 06 03 55 04 08 0c 02   ...IN1.0...U....
0880 - 4b 41 31 0d 30 0b 06 03-55 04 07 0c 04 42 61 6e   KA1.0...U....Ban
0890 - 67 31 0f 30 0d 06 03 55-04 0a 0c 06 65 69 6e 65   g1.0...U....eine
08a0 - 78 74 31 0d 30 0b 06 03-55 04 0b 0c 04 74 65 63   xt1.0...U....tec
08b0 - 68 31 1c 30 1a 06 09 2a-86 48 86 f7 0d 01 09 01   h1.0...*.H......
08c0 - 16 0d 74 65 73 74 40 74-65 73 74 2e 63 6f 6d 0e   ..test@test.com.
08d3 - <SPACES/NULS>
depth=1 C = IN, ST = KA, L = Bang, O = einext, OU = tech, emailAddress = test@test.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
write to 0x7f9daf504a50 [0x7f9db0819a00] (12 bytes => 12 (0xC))
0000 - 16 03 03 00 07 0b 00 00-03                        .........
000c - <SPACES/NULS>
write to 0x7f9daf504a50 [0x7f9db0819a00] (75 bytes => 75 (0x4B))
0000 - 16 03 03 00 46 10 00 00-42 41 04 38 db db be a3   ....F...BA.8....
0010 - 7c c8 2c a5 8f b3 6e 61-65 a2 b6 f0 30 72 70 b8   |.,...nae...0rp.
0020 - 4a 45 24 b3 70 04 f2 77-16 44 67 57 e8 e2 a9 44   JE$.p..w.DgW...D
0030 - 9d 46 b8 38 26 08 0c 03-a1 93 0b 58 54 cd 04 a5   .F.8&......XT...
0040 - 99 37 23 cb 50 57 54 f2-b6 83 8e                  .7#.PWT....
write to 0x7f9daf504a50 [0x7f9db0819a00] (6 bytes => -1 (0xFFFFFFFFFFFFFFFF))
write:errno=32
---
Certificate chain
 0 s:/C=IN/ST=ka/L=bang/O=einext/OU=tech/CN=abul basar
   i:/C=IN/ST=KA/L=Bang/O=einext/OU=tech/emailAddress=test@test.com
 1 s:/C=IN/ST=KA/L=Bang/O=einext/OU=tech/emailAddress=test@test.com
   i:/C=IN/ST=KA/L=Bang/O=einext/OU=tech/emailAddress=test@test.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDQTCCAikCCQDnXjL3Mkb9jDANBgkqhkiG9w0BAQUFADBnMQswCQYDVQQGEwJJ
TjELMAkGA1UECAwCS0ExDTALBgNVBAcMBEJhbmcxDzANBgNVBAoMBmVpbmV4dDEN
MAsGA1UECwwEdGVjaDEcMBoGCSqGSIb3DQEJARYNdGVzdEB0ZXN0LmNvbTAeFw0y
MDA2MjExMTU4MDRaFw0yMTA2MjIxMTU4MDRaMF4xCzAJBgNVBAYTAklOMQswCQYD
VQQIEwJrYTENMAsGA1UEBxMEYmFuZzEPMA0GA1UEChMGZWluZXh0MQ0wCwYDVQQL
EwR0ZWNoMRMwEQYDVQQDEwphYnVsIGJhc2FyMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAxa/y57Hn+5fwz1vXYNyQ2zuVUxOTX8TWR9HH8H8HpGeED6h2
ne9TykApUZbm41jXdD6DODZLmlD8QWmVDEV+SqtfePqk8Vifxof3xa2ZwG+Poos6
TQVufQ5mANZBpbz8AMtaqUmrQIq4vWCw32ANJH8M7tWkrL8rnt9BRo7WmCXu3DBf
HWvy/Pnbz1isBHSEn1f3Scd4hf65mtOK16oeCYWsJ9rhlikc+Bji63SzUSEjSHmv
dp/VHQSAe6wAV7D7VenB++/xTUdBMrF1CyKGYGEbSvBldXOasjzX4L3lBSzlB+9x
kgfTPKFYw03a7Ex1kVT0Wqj5S+WPAFMX7DDHgwIDAQABMA0GCSqGSIb3DQEBBQUA
A4IBAQC/l1A+V7F7JD6XYeBx4tfnv2AqXnmY8i7dBf/3HADuGhXBNcfIyOso/+7C
kD+WGjtIy9QUxq+5v96uLcyXLgJNXx2eFKX/BCRKkS6k58QFBA+HAtYlBGcfqhpP
joQK2r3Tx6ifbKqJ/YZITdl+kdNZv9FNuNxX/TsyuNznrF4v6WFAFzwUfR8AbFIl
ubTcIlnFogtul4FtNVrMhwwKAUkpaf5I6Kx1YAVvLNtyPlvpjl/7NWsidyrpAuuU
9nCnxDVhyqfUjY52wuQU+M7V6DWUcWYhXrAtXYl9d58KNwvGsucU6Or42aZv4sFL
nB91abjXZYIj8JJBXU/7rsY09VBV
-----END CERTIFICATE-----
subject=/C=IN/ST=ka/L=bang/O=einext/OU=tech/CN=abul basar
issuer=/C=IN/ST=KA/L=Bang/O=einext/OU=tech/emailAddress=test@test.com
---
Acceptable client certificate CA names
/C=IN/ST=KA/L=Bang/O=einext/OU=tech/emailAddress=test@test.com
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2264 bytes and written 93 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 5EEF5B46420666D0BBD644A7A1876269B24ACEC3BF357A992D720FD8711677CE
    Session-ID-ctx: 
    Master-Key: ADF818B8EBAE737F77158FCE6E9211851ACE70FCEC3901F6D0AA6D44F1F7C97BC6E8B1C616957D45B9B40250838CD50F
    Start Time: 1592744774
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---



----------------------------------------------------------------------------

CLIENT CONFIG

=============================================================================

security.protocol=SSL
ssl.enabled.protocols=TLSv1.2
ssl.protocol=TLSv1.2

ssl.truststore.type=JKS
ssl.truststore.location=/Users/abasar/Downloads/kafka-ssl/client1/client.truststore.jks
ssl.truststore.password=test1234

ssl.keystore.type=JKS
ssl.keystore.location=/Users/abasar/Downloads/kafka-ssl/client1/client.keystore.jks
ssl.keystore.password=test1234
ssl.key.password=test1234

ssl.endpoint.identification.algorithm=


Update config/producer.properties with the above lines and start producer

bin/kafka-console-producer.sh \
--bootstrap-server $(hostname):9092 \
--topic demo \
--producer.config \
config/producer.properties



Similarly update config/consumer.properties, and start the consumer.

bin/kafka-console-consumer.sh \
--bootstrap-server $(hostname):9092 \
--topic demo \ 
--consumer.config \
config/consumer.properties 



Test that tcpdump does not show the simple text values anymore of the communication between the broker and clients.

sudo tcpdump -XX -i any -nn port 9092 and host $(hostname)