All Products
Search
Document Center

ApsaraMQ for Kafka:Update the SSL certificate algorithm

Last Updated:Dec 12, 2024

You can update the SSL certificate algorithm for your non-serverless instance based on your security requirements.

Prerequisites

An ApsaraMQ for Kafka instance that can be accessed over the Internet is purchased and deployed. Make sure that the instance is in the Running state.

Background information

When you enable the Internet access feature for your ApsaraMQ for Kafka instance, the system initializes the SSL-related ports for the instance. You can view the key size of the SSL certificate for the instance in the Configurations section of the Instance Details page in the ApsaraMQ for Kafka console. You can determine whether to update the SSL certificate algorithm for your instance based on your security requirements. If you want to update the SSL certificate algorithm, perform the operations that are described in the following sections to change the key size of the SSL certificate to 4,096 bits.

Important
  • If you change only the value of the SSL Certificate Key Size (Bits) parameter in the Configuration Information section of the Instance Details page in the ApsaraMQ for Kafka console, clients fail to work. Before you change the value of the SSL Certificate Key Size (Bits) parameter, download the new certificate, modify the certificate configurations on your client, and then restart the client.

  • When you enable the Internet access feature for a serverless instance, the default key size of the SSL certificate for the instance is 4,096 bits. You cannot change the key size of the SSL certificate.

Download the SSL certificate

  • Scenario 1: Your instance is not deployed. If your client is developed by using Java, click only. 4096.client.truststore.jks to download the SSL certificate for Java. If your client is developed in another programming language, download the only-4096-ca-cert certificate file of the corresponding programming language. For more information, see the "SDKs" section of the Overview topic.

  • Scenario 2: Your instance is deployed, and the key size of the SSL certificate for the instance is 1,024 bits. If your client is developed by using Java, click kafka.client.truststore.jks to download the SSL certificate for Java. If your client is developed in another programming language, download the ca-cert.pem certificate file of the corresponding programming language. For more information, see the "SDKs" section of the Overview topic.

  • Scenario 3: Your instance is deployed, and you want to change the key size of the SSL certificate for the instance from 1,024 bits to 4,096 bits. If your client is developed by using Java, click mix.4096.client.truststore.jks to download the SSL certificate for Java. If your client is developed in another programming language, download the mix-4096-ca-cert certificate file of the corresponding programming language. For more information, see the "SDKs" section of the Overview topic. Both of the mix.4096.client.truststore.jks file and mix-4096-ca-cert file contain the 1024-bit SSL certificate and 4096-bit SSL certificate. You can use the files as expected on your client, regardless of whether the key size of the certificate for your instance is 1024 bits or 4096 bits.

Procedure

  1. Download the 4096-bit SSL certificate based on the programming language of your client. For the download link, see the preceding section.

  2. Replace the original SSL certificate with the downloaded SSL certificate on your client. Then, restart the client.

  3. In the Configuration Information section of the Instance Details page in the ApsaraMQ for Kafka console, change the value of the SSL Certificate Key Size (Bits) parameter to 4096. For more information, see Modify message configurations.