监视kafka ssl证书的有效性

rfbsl7qr  于 2021-06-04  发布在  Kafka
关注(0)|答案(1)|浏览(407)

假设您有一个带有3个代理的简单kafka集群。使用ssl证书进行客户端身份验证和kafka acl。此外,还为代理间通信启用了ssl。建议采用什么方法来监控所用证书的有效期/过期期?
提前谢谢!

lxkprmvk

lxkprmvk1#

目前,我们只编写了一个小型java应用程序,通过以下方法的预定调用,对每个使用的jks文件执行检查并检索在给定天数内过期的证书:

List<X509Certificate> getCertificatesThatExpireWithin(final int minCertsValidityInDays, 
           final File keystoreFile,final String keyStorePassword) throws MyAppException {
            final List<X509Certificate> expiringCerts = new LinkedList<>();
            final java.util.Date maxDateTime = java.util.Date.from(java.time.LocalDate.now()
                    .plusDays(minCertsValidityInDays).atStartOfDay(ZoneId.systemDefault()).toInstant());

            try (final FileInputStream is = new FileInputStream(keystoreFile)) {
                final KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
                keystore.load(is, keyStorePassword.toCharArray());
                final Enumeration<String> keystoreAliases = keystore.aliases();
                while (keystoreAliases.hasMoreElements()) {
                    final String alias = keystoreAliases.nextElement();
                    final Certificate cert = keystore.getCertificate(alias);
                    if (cert instanceof X509Certificate) {
                        X509Certificate x509Cert = (X509Certificate) cert;
                        if (!x509Cert.getNotAfter().after(maxDateTime)) {
                            expiringCerts.add(x509Cert);
                        }
                    }
                }
            } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | IOException e) {
                LOGGER.error("Can not check the validity of the certificates in " + keystoreFile.getPath() + " due to", e);
                throw new MyAppException(
                        "Can not check the validity of the certificates in " + keystoreFile.getPath() + " due to", e);
            }
            return expiringCerts;
        }

相关问题