Draft: Use unecrypted private keys

kafka-ssl/docker-compose.yml

@@ -46,25 +46,21 @@ services:
       KAFKA_ZOOKEEPER_SSL_CLIENT_ENABLE: 'true'
       KAFKA_ZOOKEEPER_CLIENT_CNXN_SOCKET: org.apache.zookeeper.ClientCnxnSocketNetty
       KAFKA_ZOOKEEPER_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/broker-keypair.pem
-      KAFKA_ZOOKEEPER_SSL_KEYSTORE_PASSWORD: codingharbour
       KAFKA_ZOOKEEPER_SSL_KEYSTORE_TYPE: PEM
       KAFKA_ZOOKEEPER_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/root.crt
-      KAFKA_ZOOKEEPER_SSL_TRUSTSTORE_PASSWORD: codingharbour
       KAFKA_ZOOKEEPER_SSL_TRUSTSTORE_TYPE: PEM
 
       # option 1: provide certs as strings
 
       # KAFKA_SSL_KEYSTORE_TYPE: PEM
       # KAFKA_SSL_KEYSTORE_CERTIFICATE_CHAIN: -----BEGIN CERTIFICATE-----\nMII....\n-----END CERTIFICATE-----
       # KAFKA_SSL_KEYSTORE_KEY: -----BEGIN ENCRYPTED PRIVATE KEY-----\nMIIE...\n-----END ENCRYPTED PRIVATE KEY-----
-      # KAFKA_SSL_KEY_PASSWORD: codingharbour
       # KAFKA_SSL_TRUSTSTORE_TYPE: PEM
       # KAFKA_SSL_TRUSTSTORE_CERTIFICATES: -----BEGIN CERTIFICATE-----\nMIID...\n-----END CERTIFICATE-----
 
       # option 2: use pem files
 
       KAFKA_SSL_KEYSTORE_LOCATION: /etc/kafka/secrets/broker-keypair.pem
-      KAFKA_SSL_KEY_PASSWORD: codingharbour
       KAFKA_SSL_KEYSTORE_TYPE: PEM
       KAFKA_SSL_TRUSTSTORE_LOCATION: /etc/kafka/secrets/root.crt
       KAFKA_SSL_TRUSTSTORE_TYPE: PEM

kafka-ssl/security/create-certificates.sh

@@ -4,9 +4,6 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null && pwd )"
 
 root_cert=root.crt
 root_key=root.key
-password=codingharbour
-
-echo $password > credentials
 
 if [ ! -f "$root_cert" ]; then
     echo "Create a root certificate"
@@ -16,9 +13,8 @@ if [ ! -f "$root_cert" ]; then
     -newkey rsa:2048 \
     -keyout $root_key \
     -out $root_cert \
-    -subj '/CN=root.codingharbourexample.com/OU=TEST/O=CodingHarbour/L=Oslo/C=NO' \
-    -passin pass:$password \
-    -passout pass:$password
+    -noenc \
+    -subj '/CN=root.codingharbourexample.com/OU=TEST/O=CodingHarbour/L=Oslo/C=NO'
 fi
 
 for i in producer consumer broker zookeeper
@@ -28,18 +24,6 @@ do
   echo
 done
 
-rm *.srl
-
-echo "Create a truststore"
-
-keytool -import \
-  -noprompt \
-  -keystore truststore.jks \
-  -alias root-ca \
-  -file $root_cert \
-  -storepass $password \
-  -keypass $password
-
 # create properties for producer and consumer
 consumer_cert=$(awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' consumer-signed.crt)
 consumer_key=$(awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' consumer.key)
@@ -52,7 +36,6 @@ security.protocol=SSL
 ssl.keystore.type=PEM
 ssl.keystore.certificate.chain=$consumer_cert
 ssl.keystore.key=$consumer_key
-ssl.key.password=$password
 ssl.truststore.type=PEM
 ssl.truststore.certificates=$truststore_cert
 EOF
@@ -63,7 +46,6 @@ cat <<EOF > producer.properties
 security.protocol=SSL
 ssl.keystore.type=PEM
 ssl.keystore.location=$DIR/producer-keypair.pem
-ssl.key.password=$password
 ssl.truststore.type=PEM
 ssl.truststore.location=$DIR/$root_cert
 EOF

kafka-ssl/security/create-pem-certificate.sh

@@ -1,26 +1,22 @@
 #! /bin/bash
 
 certname=$1
-password=codingharbour
 
 openssl req -newkey \
   rsa:2048 \
+  -noenc \
   -keyout $certname.key \
   -out $certname.csr \
-  -passin pass:$password \
-  -passout pass:$password \
   -subj "/CN=$certname/OU=TEST/O=CodingHarbour/L=Oslo/C=NO"
 
 #convert the key to PKCS8, otherwise kafka/java cannot read it
 openssl pkcs8 \
   -topk8 \
   -in $certname.key \
   -inform pem \
-  -v1 PBE-SHA1-RC4-128 \
   -out $certname-pkcs8.key \
   -outform pem \
-  -passin pass:$password \
-  -passout pass:$password
+  -nocrypt
 
 mv $certname-pkcs8.key $certname.key
 
@@ -33,7 +29,6 @@ openssl x509 -req \
   -sha256 \
   -days 365 \
   -CAcreateserial \
-  -passin pass:$password \
   -extensions v3_req \
   -extfile <(cat <<EOF
 [req]