10.8.5 密钥与证书生命周期管理

密钥与证书生命周期管理是保障Kafka安全通信与访问控制的关键,目标是确保密钥/证书从生成、分发、使用、轮换到吊销全过程可控、可审计、可恢复。涵盖SSL/TLS证书、SASL机制相关密钥、KDC或LDAP凭据以及与外部证书颁发机构(CA)的对接。

原理草图(生命周期与组件关系)#

文章图片

生命周期阶段与关键流程(含示例)#

1) 生成:创建根CA与Broker证书(OpenSSL)#

安装

# Ubuntu/Debian
apt-get update && apt-get install -y openssl
# CentOS/RHEL
yum install -y openssl

生成根CA

mkdir -p /etc/kafka/pki/{ca,broker,client} && cd /etc/kafka/pki/ca

# 生成CA私钥
openssl genrsa -out ca.key 4096

# 生成CA证书(有效期3650天)
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \
  -subj "/C=CN/ST=Beijing/O=Ops/OU=CA/CN=Kafka-Root-CA" \
  -out ca.crt

命令说明
- genrsa -out ca.key 4096:生成4096位RSA私钥
- req -x509:自签根证书
- -subj:避免交互式输入

生成Broker私钥与CSR

cd /etc/kafka/pki/broker
openssl genrsa -out broker.key 2048

cat > broker.cnf <<'EOF'
[ req ]
distinguished_name = dn
req_extensions = v3_req
[ dn ]
[ v3_req ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = broker-1
DNS.2 = broker-1.example.com
IP.1 = 192.168.10.11
EOF

openssl req -new -key broker.key -out broker.csr \
  -subj "/C=CN/ST=Beijing/O=Ops/OU=Kafka/CN=broker-1" \
  -config broker.cnf

签发Broker证书

cd /etc/kafka/pki/ca
openssl x509 -req -in /etc/kafka/pki/broker/broker.csr \
  -CA ca.crt -CAkey ca.key -CAcreateserial \
  -out /etc/kafka/pki/broker/broker.crt \
  -days 365 -sha256 -extensions v3_req \
  -extfile /etc/kafka/pki/broker/broker.cnf

2) 分发:安全分发与权限控制#

# 仅示例,生产建议使用Ansible/Vault
install -o kafka -g kafka -m 600 /etc/kafka/pki/broker/broker.key /etc/kafka/ssl/
install -o kafka -g kafka -m 644 /etc/kafka/pki/broker/broker.crt /etc/kafka/ssl/
install -o kafka -g kafka -m 644 /etc/kafka/pki/ca/ca.crt /etc/kafka/ssl/

命令说明
- -m 600:私钥最小权限
- -m 644:证书可读但不可写

3) 部署:生成Keystore/Truststore并配置Kafka#

# 生成PKCS12 keystore
openssl pkcs12 -export \
  -in /etc/kafka/ssl/broker.crt \
  -inkey /etc/kafka/ssl/broker.key \
  -name broker-1 \
  -out /etc/kafka/ssl/broker.p12 \
  -CAfile /etc/kafka/ssl/ca.crt -caname root-ca

# 创建truststore
keytool -import -alias root-ca -file /etc/kafka/ssl/ca.crt \
  -keystore /etc/kafka/ssl/broker.truststore.p12 \
  -storetype PKCS12 -storepass changeit -noprompt

Kafka broker配置(server.properties)

listeners=SSL://0.0.0.0:9093
advertised.listeners=SSL://broker-1.example.com:9093
listener.security.protocol.map=SSL:SSL
ssl.keystore.type=PKCS12
ssl.keystore.location=/etc/kafka/ssl/broker.p12
ssl.keystore.password=changeit
ssl.key.password=changeit
ssl.truststore.type=PKCS12
ssl.truststore.location=/etc/kafka/ssl/broker.truststore.p12
ssl.truststore.password=changeit
ssl.client.auth=required

客户端示例(producer.properties)

security.protocol=SSL
ssl.truststore.location=/etc/kafka/ssl/client.truststore.p12
ssl.truststore.password=changeit
ssl.keystore.location=/etc/kafka/ssl/client.p12
ssl.keystore.password=changeit
ssl.key.password=changeit

4) 轮换:双证书过渡与滚动重启#

做法示例
1. 新证书生成并部署到所有Broker(保留旧证书)
2. 更新ssl.keystore.location指向新证书
3. 逐台滚动重启Broker

# 查看证书有效期
openssl x509 -in /etc/kafka/ssl/broker.crt -noout -enddate

# 滚动重启示例(systemd)
systemctl restart kafka

5) 吊销:CRL/OCSP校验与替换#

# 生成CRL(示例)
cd /etc/kafka/pki/ca
openssl ca -gencrl -out ca.crl

提示:Kafka原生不校验CRL,需要在TLS终端或代理中启用校验;或在客户端侧强制信任链更新。

Kafka相关配置要点(含架构图)#

文章图片
  • Broker端
  • ssl.keystore.location:Broker证书与私钥
  • ssl.truststore.location:信任链CA
  • ssl.client.authrequired强制双向认证
  • Client端
  • 统一CA信任链
  • SAN必须包含访问主机名或IP

自动化与工具链(安装与示例)#

CFSSL(可选)#

# 下载并安装
curl -L -o /usr/local/bin/cfssl https://pkg.cfssl.org/R1.2/cfssl_linux-amd64
curl -L -o /usr/local/bin/cfssljson https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x /usr/local/bin/cfssl /usr/local/bin/cfssljson

Vault(可选)#

# 安装(以Ubuntu为例)
apt-get install -y vault

# 启用PKI引擎
vault secrets enable pki
vault write pki/root/generate/internal common_name="Kafka Root CA" ttl=87600h

常见问题与排错(含命令)#

1) TLS握手失败#

# 检查证书链
openssl verify -CAfile /etc/kafka/ssl/ca.crt /etc/kafka/ssl/broker.crt

# 检查SAN
openssl x509 -in /etc/kafka/ssl/broker.crt -noout -text | grep -A1 "Subject Alternative Name"

排错要点
- SAN缺失或不匹配主机名/IP
- 证书链不完整

2) 客户端权限拒绝(SSL握手通过但授权失败)#

# 若同时启用ACL,可检查ACL配置
kafka-acls.sh --bootstrap-server broker-1.example.com:9093 \
  --list --command-config /etc/kafka/ssl/client.properties

3) 轮换后连接中断#

# 检查是否启用双证书过渡
ls -l /etc/kafka/ssl/ | grep -E "broker.*p12|crt"

练习#

  1. 使用OpenSSL为broker-2签发证书,SAN包含broker-2.example.com192.168.10.12
  2. 生成client.p12并配置生产者连接,验证双向TLS成功。
  3. 模拟证书到期:将有效期设为1天,编写脚本检测并输出预警。

参考脚本(证书到期检测)

#!/usr/bin/env bash
CERT=/etc/kafka/ssl/broker.crt
END=$(date -d "$(openssl x509 -in $CERT -noout -enddate | cut -d= -f2)" +%s)
NOW=$(date +%s)
LEFT=$(( (END-NOW) / 86400 ))
if [ $LEFT -lt 30 ]; then
  echo "WARN: certificate expires in $LEFT days"
else
  echo "OK: certificate expires in $LEFT days"
fi

最佳实践清单#

  • 建立证书资产清单与到期预警机制
  • 私钥使用最小权限与加密存储,优先HSM/Vault
  • 生产/测试/开发环境使用不同CA
  • 轮换与吊销流程纳入变更管理与审计
  • 定期演练证书轮换与故障恢复流程