SSL + Kafka Exception: Invalid value javax.net.ssl.SSLHandshakeException after adding certificates generated by Bouncy castle to Java keystore

Question

I am using Bouncy Castle(BC) with RSA algorithm in one of my .net projects, I have created Root certificate(root.crt) using BC, and also I have created certificate (server.crt) signed by root.crt using BC.

Using Keytool, I have added server.crt to keystore (server.keystore.jks) and root.crt to truststore (server.truststore.jks). Please find the below commands for pushing these certificates to respective stores.

Importing Server.crt to server.keystore.jks:

keytool -keystore server.keystore.jks -validity 365 -genkey -keyalg RSA -storetype pkcs12

keytool -keystore server.keystore.jks -import -file Server.crt

Importing root.crt to server.truststore.jks:

keytool -keystore server.truststore.jks -alias CARoot -import -file root.crt

Now, I am referring physical paths of these 2 stores in kafka server.properties file as below

server.properties file:

ssl.keystore.location=C:\\kafka\\security\\server.keystore.jks
ssl.keystore.type=pkcs12
ssl.keystore.password=12345
ssl.key.password=12345
ssl.truststore.location=C:\\kafka\\security\\server.truststore.jks
ssl.truststore.type=JKS
ssl.truststore.password=12345
ssl.client.auth=required
security.inter.broker.protocol=SSL
ssl.endpoint.identification.algorithm=

When I try to run kafka server, it is shutting down with below error. Can anyone please help me out on this issue ?

Error:

[2021-06-18 00:56:13,674] ERROR [KafkaServer id=0] Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
org.apache.kafka.common.KafkaException: org.apache.kafka.common.config.ConfigException: Invalid value javax.net.ssl.SSLHandshakeException: no cipher suites in common for configuration A client SSLEngine created with the provided settings can't connect to a server SSLEngine created with those settings.
        at org.apache.kafka.common.network.SslChannelBuilder.configure(SslChannelBuilder.java:74)
        at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:157)
        at org.apache.kafka.common.network.ChannelBuilders.serverChannelBuilder(ChannelBuilders.java:97)
        at kafka.network.Processor.<init>(SocketServer.scala:780)
        at kafka.network.SocketServer.newProcessor(SocketServer.scala:406)
        at kafka.network.SocketServer.$anonfun$addDataPlaneProcessors$1(SocketServer.scala:285)
        at kafka.network.SocketServer.addDataPlaneProcessors(SocketServer.scala:284)
        at kafka.network.SocketServer.$anonfun$createDataPlaneAcceptorsAndProcessors$1(SocketServer.scala:251)
        at kafka.network.SocketServer.$anonfun$createDataPlaneAcceptorsAndProcessors$1$adapted(SocketServer.scala:248)
        at scala.collection.IterableOnceOps.foreach(IterableOnce.scala:553)
        at scala.collection.IterableOnceOps.foreach$(IterableOnce.scala:551)
        at scala.collection.AbstractIterable.foreach(Iterable.scala:920)
        at kafka.network.SocketServer.createDataPlaneAcceptorsAndProcessors(SocketServer.scala:248)
        at kafka.network.SocketServer.startup(SocketServer.scala:122)
        at kafka.server.KafkaServer.startup(KafkaServer.scala:286)
        at kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:44)
        at kafka.Kafka$.main(Kafka.scala:82)
        at kafka.Kafka.main(Kafka.scala)
Caused by: org.apache.kafka.common.config.ConfigException: Invalid value javax.net.ssl.SSLHandshakeException: no cipher suites in common for configuration A client SSLEngine created with the provided settings can't connect to a server SSLEngine created with those settings.
        at org.apache.kafka.common.security.ssl.SslFactory.configure(SslFactory.java:98)
        at org.apache.kafka.common.network.SslChannelBuilder.configure(SslChannelBuilder.java:72)
        ... 17 more```

I am not sure if it is on purpose but your keystore created with JKS and not like keystore.p12 for storetype pkcs12, not sure if it should cause you any of the related troubles, does not seems related much — Ran Lupovich, Jun 17 '21 at 17:29

score 0 · Answer 1 · answered Nov 05 '21 at 13:32

The only way I managed to get this to work was to use keytool to generate a CSR and then use BouncyCastle to generate a certificate from it.

You should also import both the CA and server certificates into the keystore.

1. Import CA certificate

keytool -importcert -noprompt -keystore server.keystore.jks -file root.crt -alias CARoot -storepass pass

2. Generate (unsigned) server certificate in key store

keytool -genkey -noprompt -keystore server.keystore.jks -keyalg RSA -validity 365 -dname "CN=your.computer.fqdn, OU=Unknown, Unknown, L=Unknown, ST=Unknown, C=Unknown" -ext "SAN=DNS:your.computer.fqdn" -alias server -storepass pass -keypass pass

3. Export CSR

keytool -certreq -noprompt -keystore server.keystore.jks -alias server -file server-cert-sign-request -storepass pass

4. Use BouncyCastle to generate a certificate from the CSR

See this SO post and in particular my solution in C#

5. Import the signed certificate into the keystore

keytool -importcert -noprompt -keystore server.keystore.jks -file server.crt -alias server -storepass pass