You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by si...@apache.org on 2019/06/01 13:18:44 UTC

[pulsar] branch master updated: [doc] Improve tls authentication documentation. (#4317)

This is an automated email from the ASF dual-hosted git repository.

sijie pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/master by this push:
     new 8c881ec  [doc] Improve tls authentication documentation. (#4317)
8c881ec is described below

commit 8c881ecc09b0652219a0d891f64e0e54ac9dcbfd
Author: lipenghui <pe...@apache.org>
AuthorDate: Sat Jun 1 21:18:39 2019 +0800

    [doc] Improve tls authentication documentation. (#4317)
---
 site2/docs/security-tls-authentication.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/site2/docs/security-tls-authentication.md b/site2/docs/security-tls-authentication.md
index f93388d..f6a2978 100644
--- a/site2/docs/security-tls-authentication.md
+++ b/site2/docs/security-tls-authentication.md
@@ -32,6 +32,8 @@ Generate the certificate request. When asked for a **common name**, enter the **
 $ openssl req -config openssl.cnf \
       -key admin.key.pem -new -sha256 -out admin.csr.pem
 ```
+> Note
+> If there is no openssl.cnf, please read [Certificate authority](http://pulsar.apache.org/docs/en/security-tls-transport/#certificate-authority) to get the openssl.cnf.
 
 Sign with request with the certificate authority. Note that that client certs uses the **usr_cert** extension, which allows the cert to be used for client authentication.
 
@@ -43,6 +45,16 @@ $ openssl ca -config openssl.cnf -extensions usr_cert \
 
 This will give you a cert, `admin.cert.pem`, and a key, `admin.key-pk8.pem`, which, with `ca.cert.pem`, can be used by clients to authenticate themselves to brokers and proxies as the role token ``admin``.
 
+> Note
+> If got "unable to load CA private key" error and the reason is "No such file or directory: /etc/pki/CA/private/cakey.pem" in this step. Please try :
+>
+> ```bash
+> $ cd /etc/pki/tls/misc/CA
+> $ ./CA -newca
+> ```
+>
+> to generate `cakey.pem` .
+
 ## Enabling TLS Authentication ...
 
 ### ... on Brokers