我们正在尝试为 Kafka 服务器集群生成服务器证书,以便通过 SSL 进行通信。
该程序有效,但证书的有效期仅为 30 天。
我们请求 365 天,在“步骤 1”(见下文)之后,我们将获得具有正确有效期的密钥对。请参阅下面的 (1)。
但是,当我们将签名的证书重新导入密钥库后,有效期已缩短为 30 天。请参阅下面的 (2)。
为什么会这样?我们该如何解决这个问题?
echo "Step1: Create the server identity and keystore"
$ORACLE_JDK_1_8_0_u181_keytool -genkey -keystore keystore.p12 -alias localhost -validity 365 -keyalg RSA -deststoretype pkcs12 -ext SAN="DNS:$SERVER_NAME.corp.com,IP:1.2.3.4"
$ORACLE_JDK_1_8_0_u181_keytool -list -v -keystore keystore.p12 -storepass $KPWD
# (1) Shows validity of 365 days: correct
echo "Step2: Export the private key from the keystore to a separate file"
openssl pkcs12 -in keystore.p12 -nodes -nocerts -out $SERVER_NAME_key.pem -passin pass:$KPWD -passout pass:$KPWD
echo "Step3: Create a Certificate Signing Request (CSR)"
openssl req -new -key $SERVER_NAME_key.pem -out $SERVER_NAME.csr -passin pass:$KPWD -passout pass:$KPWD
echo "Step6 Sign the server certificate"
openssl x509 -req -in $SERVER_NAME.csr -CA CAcert.pem -CAkey CAkey.pem -CAcreateserial -out $SERVER_NAME_key_signed.pem -passin pass:$CAPD
echo "Step7: Import both the certificate of the CA and the signed certificate into the keystore."
$ORACLE_JDK_1_8_0_u181_keytool -keystore keystore.p12 -alias CARoot -import -file CAcert.pem -storepass $KPWD
$ORACLE_JDK_1_8_0_u181_keytool -keystore keystore.p12 -alias localhost -import -file $SERVER_NAME_key_signed.pem -storepass $KPWD
$ORACLE_JDK_1_8_0_u181_keytool -list -v -keystore keystore.p12 -storepass $KPWD
# (2) Shows validity of 30 days: WRONG. WHY?
答案1
您应该添加-days
以下行:
openssl x509 -req -in $SERVER_NAME.csr -CA CAcert.pem -CAkey CAkey.pem -CAcreateserial -out $SERVER_NAME_key_signed.pem -passin pass:$CAPD
成为
openssl x509 -req -days 365 -in $SERVER_NAME.csr -CA CAcert.pem -CAkey CAkey.pem -CAcreateserial -out $SERVER_NAME_key_signed.pem -passin pass:$CAPD