We are trying to generate server certificates for a cluster of Kafka servers to communicate over SSL.
The procedure works, but the resulting validity of the certificates is only 30 days.
We are requesting 365 days, and after "Step 1" (see below), we have a key pair with the correct validity. See (1) below.
However, after we import the signed certificate back into the keystore, the validity has been reduced to 30 days. See (2) below.
Why is that, and how can we fix it?
echo "Step1: Create the server identity and keystore"
$ORACLE_JDK_1_8_0_u181_keytool -genkey -keystore keystore.p12 -alias localhost -validity 365 -keyalg RSA -deststoretype pkcs12 -ext SAN="DNS:$SERVER_NAME.corp.com,IP:1.2.3.4"
$ORACLE_JDK_1_8_0_u181_keytool -list -v -keystore keystore.p12 -storepass $KPWD
# (1) Shows validity of 365 days: correct
echo "Step2: Export the private key from the keystore to a separate file"
openssl pkcs12 -in keystore.p12 -nodes -nocerts -out $SERVER_NAME_key.pem -passin pass:$KPWD -passout pass:$KPWD
echo "Step3: Create a Certificate Signing Request (CSR)"
openssl req -new -key $SERVER_NAME_key.pem -out $SERVER_NAME.csr -passin pass:$KPWD -passout pass:$KPWD
echo "Step6 Sign the server certificate"
openssl x509 -req -in $SERVER_NAME.csr -CA CAcert.pem -CAkey CAkey.pem -CAcreateserial -out $SERVER_NAME_key_signed.pem -passin pass:$CAPD
echo "Step7: Import both the certificate of the CA and the signed certificate into the keystore."
$ORACLE_JDK_1_8_0_u181_keytool -keystore keystore.p12 -alias CARoot -import -file CAcert.pem -storepass $KPWD
$ORACLE_JDK_1_8_0_u181_keytool -keystore keystore.p12 -alias localhost -import -file $SERVER_NAME_key_signed.pem -storepass $KPWD
$ORACLE_JDK_1_8_0_u181_keytool -list -v -keystore keystore.p12 -storepass $KPWD
# (2) Shows validity of 30 days: WRONG. WHY?
