Kafka TLS/SSL Example Part 1: Create the Root CA
This example uses the same self-signed root CA to sign all of the certificates used by the scheduler, Kafka brokers, and Vertica. If you cannot use the same CA to sign the keys for all of these systems, make sure you include the entire chain of trust in your keystores.
The following Linux commands create a self-signed root CA. They are run by the dbadmin user on the Linux command line of one of the Vertica nodes.
-
Generate a private key named root.key.
$ openssl genrsa -out root.key Generating RSA private key, 2048 bit long modulus .............................................................................. ............................+++ ...............+++ e is 65537 (0x10001)
-
Generating a self-signed root CA named root.crt.
$ openssl req -new -x509 -key root.key -out root.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:MA Locality Name (eg, city) []:Cambridge Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:*.mycompany.com Email Address []:myemail@mycompany.com
-
Change permissions on the files to prevent others from reading the root key, and preventing changes to the root certificate.
$ ls root.crt root.key $ chmod 600 root.key $ chmod 644 root.crt