Lenses can use TLS/SSL connections and supports Java Keystore (JKS) format for keys and certificates. At the moment, services may require:
.jks
.p12
.pfx
Lenses can connect with external services through SSL, see the pages kafka brokers, schema registry and connect for specific details on how to configure them.
If the certificates are previously created with the PEM format, they need to be converted to JKS. To do so, we can use keytool, a key and certificate management tool, that can be easily used through the lenses docker image. By using the docker image we ensure the java version used by lenses and keytool are compatible.
PEM
JKS
keytool
Generic command example:
docker run -it --rm lensesio/lenses:<version> /usr/bin/keytool <args>
To convert your PEM truststore to JKS, run the command below, where
file
keystore
alias
docker run \ -v /path/to/file.pem:/tmp/file.pem:ro \ -v /path/to/output/:/output \ -it --rm lensesio/lenses:5.4.0 /usr/bin/keytool \ -importcert \ -noprompt \ -trustcacerts \ -keystore /output/truststore.jks \ -alias "${alias}" \ -file /tmp/file.pem \ -storepass changeit \ -storetype JKS
The output truststore will be found at /path/to/output/truststore.jks.
/path/to/output/truststore.jks
In this part, we’ll generate a keystore file from a private key and a certificate file in PEM format. The process requires two steps:
changeit
openssl pkcs12 -export \ -inkey "${cert.key.pem}" \ -in "${cert.crt.pem}" \ -out /tmp/keystore.p12 \ -name service \ -passout pass:changeit
docker run \ -v /path/to/keystore.p12:/tmp/keystore.p12:ro \ -v /path/to/output/:/output \ -it --rm lensesio/lenses:5.4.0 /usr/bin/keytool \ -importkeystore \ -noprompt -v \ -srckeystore /tmp/keystore.p12 \ -srcstoretype PKCS12 \ -srcstorepass changeit \ -alias service \ -deststorepass changeit \ -destkeypass changeit \ -destkeystore /output/cert.jks \ -deststoretype JKS
The output keystore will be found at /path/to/output/cert.jks.
/path/to/output/cert.jks
On this page