Create Client Certificate (ACM)
Create a AWS Certificate Manager client certificate to authenticate Kafka client identity.

Resource Parameters

The following parameters are needed when following these steps to create a new client certificate using AWS Certificate Manager (ACM).
  • Common Name
  • Private Certificate Authority
Throughout this guide we use the following example client certificate parameters.
  • Client Identity
    • Common Name client-1
  • Private Certificate Authority
    • Name Mutual Authentication CA

Create the Certificate Authority

If you do not already have one, follow the Create Certificate Authority (ACM) guide to create a new private certificate authority in AWS Certificate Manager.
Note the ARN of the private certificate authority.

Generate the RSA key

We need to create a new key that will be used with the certificate, and store the key in pkcs8 format. In this example we will be creating the key for a client certificate with client-1 as the common name.
openssl genrsa -out client-1.key.pem 4096
openssl pkcs8 -topk8 -nocrypt -in client-1.key.pem -out client-1.pkcs8.pem

Create the signing request

Next we need to create a certificate corresponding to the key, with metadata about the owner of the certificate and the common name. This is done by first creating a certificate signing request.
openssl req -new -key client-1.key.pem -out client-1.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) []:US
State or Province Name (full name) []:California
Locality Name (eg, city) []:Palo Alto
Organization Name (eg, company) []:Aklivity
Organizational Unit Name (eg, section) []:Development
Common Name (eg, fully qualified host name) []:client-1
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
This creates the signing request in client-1.csr.

Issue the signed certificate

Now that the certificate signing request has been prepared, it can be used to issue a new certificate signed by your private certificate authority.
In this example, we issue the certificate to be valid for 365 days. You should choose a validity period that best suits your specific use case.
aws acm-pca issue-certificate \
--region us-east-1 \
--certificate-authority-arn <private-certificate-authority-arn> \
--csr fileb://client-1.csr \
--signing-algorithm "SHA256WITHRSA" \
--validity Value=365,Type="DAYS" \
--idempotency-token 1234
This command returns the ARN of the newly signed certificate.
"CertificateArn": "arn:aws:acm-pca:us-east-1:...:certificate-authority/.../certificate/..."
Note the certificate ARN as we need to reference it later.
Copy link
On this page
Resource Parameters
Create the Certificate Authority
Generate the RSA key
Create the signing request
Issue the signed certificate