![Screenshot from 2024-09-29 19-48-48](https://gist.github.com/user-attachments/assets/d1c0346f-9b21-4c36-a6c8-554674aa8bde)

### SSL Handshake Process Between Zookeeper and Kafka Broker

1. Zookeeper and the Kafka broker are running and want to connect via SSL handshake.
2. Both services have:
   - Their own **CA-signed certificate** in the **keystore**.
   - The **same CA certificate (ca-cert)** from the CA in the **truststore**.
3. The broker sends its **CA-signed certificate** to Zookeeper.
4. Zookeeper verifies the broker's certificate using the **CA certificate (ca-cert)** in its truststore.
5. Upon verification, Zookeeper sends its own **CA-signed certificate** to the broker.
6. The broker verifies Zookeeper's certificate using the **CA certificate (ca-cert)** in its truststore.
7. Once both certificates are verified, they start secure communication.

### Step-by-Step Commands and Explanations

1. **Generate CA Key and Certificate**:
   ```bash
   openssl req -new -x509 -keyout ca-key -out ca-cert -days 3650
   ```
   - Creates a new CA private key (`ca-key`) and self-signed CA certificate (`ca-cert`).

2. **Create Truststore and Import CA Certificate**:
   ```bash
   keytool -keystore kafka.zookeeper.truststore.jks -alias ca-cert -import -file ca-cert
   ```
   - Creates a truststore (`kafka.zookeeper.truststore.jks`) and imports the CA certificate.

3. **Create Keystore and Generate a Key Pair**:
   ```bash
   keytool -keystore kafka.zookeeper.keystore.jks -alias zookeeper -validity 3650 -genkey -keyalg RSA -ext SAN=dns:localhost
   ```
   - Creates a keystore (`kafka.zookeeper.keystore.jks`) and generates a key pair for Zookeeper.

4. **Create Certificate Signing Request (CSR)**:
   ```bash
   keytool -keystore kafka.zookeeper.keystore.jks -alias zookeeper -certreq -file ca-request-zookeeper
   ```
   - Generates a CSR (`ca-request-zookeeper`) using the Zookeeper key pair.

5. **Sign the CSR with CA Certificate**:
   ```bash
   openssl x509 -req -CA ca-cert -CAkey ca-key -in ca-request-zookeeper -out ca-signed-zookeeper -days 3650 -CAcreateserial
   ```
   - Signs the CSR to create a CA-signed certificate (`ca-signed-zookeeper`).

6. **Import CA Certificate into Keystore:**:
   ```bash
   keytool -keystore kafka.zookeeper.keystore.jks -alias ca-cert -import -file ca-cert
   ```
   - Imports the CA certificate into Zookeeper's keystore.

7. **Import the Signed Certificate into Keystore**:
   ```bash
   keytool -keystore kafka.zookeeper.keystore.jks -alias zookeeper -import -file ca-signed-zookeeper
   ```
   - Imports the CA-signed certificate into Zookeeper's keystore.