#!/bin/bash # 设置环境变量 BASE_DIR=$(PWD)# 你需要修改此处 CERT_OUTPUT_PATH="$BASE_DIR/certificates" PASSWORD=test1234 KEY_STORE="$CERT_OUTPUT_PATH/server.keystore.jks" TRUST_STORE="$CERT_OUTPUT_PATH/server.truststore.jks" CLIENT_KEY_STORE="$CERT_OUTPUT_PATH/client.keystore.jks" CLIENT_TRUST_STORE="$CERT_OUTPUT_PATH/client.truststore.jks" KEY_PASSWORD=$PASSWORD STORE_PASSWORD=$PASSWORD TRUST_KEY_PASSWORD=$PASSWORD TRUST_STORE_PASSWORD=$PASSWORD CERT_AUTH_FILE="$CERT_OUTPUT_PATH/ca-cert" DAYS_VALID=3650 DNAME="CN=Test, OU=YourDept, O=YourCompany, L=Shanghai, ST=Shanghai, C=CN" SUBJ="/C=CN/ST=Shanghai/L=Shanghai/O=YourCompany/OU=YourDept,CN=Test" mkdir -p $CERT_OUTPUT_PATH echo "1. 产生 key 和证书......" keytool -keystore $KEY_STORE -alias kafka-server -validity $DAYS_VALID -genkey -keyalg RSA \ -storepass $STORE_PASSWORD -keypass $KEY_PASSWORD -dname "$DNAME" keytool -keystore $CLIENT_KEY_STORE -alias kafka-client -validity $DAYS_VALID -genkey -keyalg RSA \ -storepass $STORE_PASSWORD -keypass $KEY_PASSWORD -dname "$DNAME" echo "2. 创建 CA......" openssl req -new -x509 -keyout $CERT_OUTPUT_PATH/ca-key -out "$CERT_AUTH_FILE" -days "$DAYS_VALID" \ -passin pass:"$PASSWORD" -passout pass:"$PASSWORD" \ -subj "$SUBJ" echo "3. 添加 CA 文件到 broker truststore......" keytool -keystore "$TRUST_STORE" -alias CARoot \ -importcert -file "$CERT_AUTH_FILE" -storepass "$TRUST_STORE_PASSWORD" -keypass "$TRUST_KEY_PASS" -noprompt echo "4. 添加 CA 文件到 client truststore......" keytool -keystore "$CLIENT_TRUST_STORE" -alias CARoot \ -importcert -file "$CERT_AUTH_FILE" -storepass "$TRUST_STORE_PASSWORD" -keypass "$TRUST_KEY_PASS" -noprompt echo "5. 从 keystore 中导出集群证书......" keytool -keystore "$KEY_STORE" -alias kafka-server -certreq -file "$CERT_OUTPUT_PATH/server-cert-file" \ -storepass "$STORE_PASSWORD" -keypass "$KEY_PASSWORD" -noprompt keytool -keystore "$CLIENT_KEY_STORE" -alias kafka-client -certreq -file "$CERT_OUTPUT_PATH/client-cert-file" \ -storepass "$STORE_PASSWORD" -keypass "$KEY_PASSWORD" -noprompt echo "6. 使用 CA 签发证书......" openssl x509 -req -CA "$CERT_AUTH_FILE" -CAkey $CERT_OUTPUT_PATH/ca-key -in "$CERT_OUTPUT_PATH/server-cert-file" \ -out "$CERT_OUTPUT_PATH/server-cert-signed" -days "$DAYS_VALID" -CAcreateserial -passin pass:"$PASSWORD" openssl x509 -req -CA "$CERT_AUTH_FILE" -CAkey $CERT_OUTPUT_PATH/ca-key -in "$CERT_OUTPUT_PATH/client-cert-file" \ -out "$CERT_OUTPUT_PATH/client-cert-signed" -days "$DAYS_VALID" -CAcreateserial -passin pass:"$PASSWORD" echo "7. 导入 CA 文件到 keystore......" keytool -keystore "$KEY_STORE" -alias CARoot -import -file "$CERT_AUTH_FILE" -storepass "$STORE_PASSWORD" \ -keypass "$KEY_PASSWORD" -noprompt keytool -keystore "$CLIENT_KEY_STORE" -alias CARoot -import -file "$CERT_AUTH_FILE" -storepass "$STORE_PASSWORD" \ -keypass "$KEY_PASSWORD" -noprompt echo "8. 导入已签发证书到 keystore......" keytool -keystore "$KEY_STORE" -alias kafka-server -import -file "$CERT_OUTPUT_PATH/server-cert-signed" \ -storepass "$STORE_PASSWORD" -keypass "$KEY_PASSWORD" -noprompt keytool -keystore "$CLIENT_KEY_STORE" -alias kafka-client -import -file "$CERT_OUTPUT_PATH/client-cert-signed" \ -storepass "$STORE_PASSWORD" -keypass "$KEY_PASSWORD" -noprompt echo "9. 删除临时文件......" rm "$CERT_OUTPUT_PATH/ca-cert.srl" rm "$CERT_OUTPUT_PATH/server-cert-signed" rm "$CERT_OUTPUT_PATH/client-cert-signed" rm "$CERT_OUTPUT_PATH/server-cert-file" rm "$CERT_OUTPUT_PATH/client-cert-file"