Strimzi
How to assign a CSR (certificate signing request) with client CA #5545
Replies: 1 comment 3 replies
-
|
Nothing like that is supported today. The CSR is generated only internally when creating the users. There is no way to provide your own CSR. And to be honest - given the operator expects some structure of the certificates (as in what subject they will have etc.) - I do not understand what would be the added value of anything like this. If you want, you can provide your own Clients CA and then you can generate and manage the certificates any way you want - including using your own CSRs and signing the certs etc. |
Beta Was this translation helpful? Give feedback.
-
|
Thank your prompt reply, it directs me to the right path. If I want to our own Client CA, how to integrate our client CA to Kafka cluster? Is there any documents? |
Beta Was this translation helpful? Give feedback.
-
|
This should help: https://strimzi.io/docs/operators/latest/full/using.html#installing-your-own-ca-certificates-str |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @scholzj |
Beta Was this translation helpful? Give feedback.
-
In Kafka, there are a cluster CA and a client CA.
When we use SSL mode to connect Kafka cluster, we create a user, then we can get a client CA certificate and client certificate via user secret.
Now we want to generate a CSR (certificate signing request) at our app side, then use Kafka client CA to sign this CSR, then we get signed client certificate, we use this certificate to connect Kafka cluster.
The question is
(1) Is this idea feasible?
(2) If it is feasible, is there any API to obtain Kafka client CA?
Beta Was this translation helpful? Give feedback.
All reactions