cncf-strimzi-dev@lists.cncf.io | Reg: Setting up strimzi kafka with own CA certs

Home Messages Hashtags Subgroups

Date Date 1 - 3 of 3

Reg: Setting up strimzi kafka with own CA certs

Tom Bentley #67 FWIW I am in the process of rewriting the certificate handling to support more flexible CA hierarchies (and other things) for the "cluster CA" and "clients CA". It's still some way off a PR, but it would support having brokers trust a given root CA certificate (without access to the key), but issuing using an intermediate certificate, which sounds like what you want. Kind regards, Tom toggle quoted message Show quoted text On Thu, Apr 15, 2021 at 5:10 PM Jakub Scholz <jakub@...> wrote: Strimzi needs to issue the certificates for the different components to secure them. That is why it needs a CA which can do that. If you use server certificate to issue new certs, properly written applications should reject it. If you want to use a server certificate, you should check the listener certificates, where you can provide only a server certificate and it will be used only for a given listener but not to secure replication etc.: https://strimzi.io/docs/operators/latest/full/using.html#kafka-listener-certificates-str Jakub On Thu, Apr 15, 2021 at 3:00 PM Nag Raj <tsnagraj.08@...> wrote: Hi team, I was deploying strimzi kafka with own CA certs, my organization provides CA.crt, rootCA and intermediate CA. But in the strimzi documentation, to implement this scenario we need to have CA.Key as well which is not provided by my organization. Is there any way we can implement this use case without CA. Key. Thank you. Regards, Raj
More All Messages By This Member
Jakub Scholz #66 Strimzi needs to issue the certificates for the different components to secure them. That is why it needs a CA which can do that. If you use server certificate to issue new certs, properly written applications should reject it. If you want to use a server certificate, you should check the listener certificates, where you can provide only a server certificate and it will be used only for a given listener but not to secure replication etc.: https://strimzi.io/docs/operators/latest/full/using.html#kafka-listener-certificates-str Jakub toggle quoted message Show quoted text On Thu, Apr 15, 2021 at 3:00 PM Nag Raj <tsnagraj.08@...> wrote: Hi team, I was deploying strimzi kafka with own CA certs, my organization provides CA.crt, rootCA and intermediate CA. But in the strimzi documentation, to implement this scenario we need to have CA.Key as well which is not provided by my organization. Is there any way we can implement this use case without CA. Key. Thank you. Regards, Raj
More All Messages By This Member
Nag Raj #65 Hi team, I was deploying strimzi kafka with own CA certs, my organization provides CA.crt, rootCA and intermediate CA. But in the strimzi documentation, to implement this scenario we need to have CA.Key as well which is not provided by my organization. Is there any way we can implement this use case without CA. Key. Thank you. Regards, Raj
More All Messages By This Member

1 - 3 of 3

1

Previous Topic Next Topic

Home Hashtags Subgroups Terms