You can update the SSL certificate algorithm for your Message Queue for Apache Kafka instance based on your security requirements.

Prerequisites

A ApsaraMQ for Kafka instance that can be accessed over the Internet is purchased and deployed, and the instance is in the Running state.

Background information

When you enable the Internet access feature for your instance, the system initializes the SSL-related ports for the instance. In the ApsaraMQ for Kafka console, you can view the length of SSL certificate keys for the instance on the Instance Details page. You can determine whether to update the SSL certificate algorithm for your instance based on your security requirements. If you want to update the SSL certificate algorithm, perform the operations that are described in the following sections to change the length of SSL certificate keys to 4,096 bits.

Important If you only change the value of the SSL Certificate Key Size (Bits) parameter on the Instance Details page in the ApsaraMQ for Kafka console and you do not update the SSL certificate on your client, you cannot connect your client to the instance. Before you change the value of the SSL Certificate Key Size (Bits) parameter on the Instance Details page, download the new certificate, modify the certificate configurations on your client, and then restart the client.

Download the SSL certificate

  • Scenario 1: Your instance is not deployed. If your client is developed by using Java, you can click only. 4096.client.truststore.jks to download the SSL certificate for Java. If your client is developed in a different programming language, download the only-4096-ca-cert certificate file based on the relevant programming language. For more information, see SDKs.
  • Scenario 2: Your instance is deployed, and the length of SSL certificate keys for the instance is 1,024 bits. If your client is developed by using Java, you can click kafka.client.truststore.jks to download the SSL certificate for Java. If your client is developed in a different programming language, download the ca-cert.pem certificate file based on the relevant programming language. For more information, see SDKs.
  • Scenario 3: Your instance is deployed, and you want to change the length of SSL certificate keys for the instance from 1,024 bits to 4,096 bits. If your client is developed by using Java, you can click mix.4096.client.truststore.jks to download the SSL certificate for Java. If your client is developed in a different programming language, download the mix-4096-ca-cert certificate file based on the relevant programming language. For more information, see SDKs. The mix.4096.client.truststore.jks file and mix-4096-ca-cert file contain the 1024-bit SSL certificate and 4096-bit SSL certificate. You can use these files on your client regardless of the key length that you specify on the server.

Procedure

  1. Download the 4096-bit SSL certificate based on the programming language of your client. For the download link, see the preceding section.
  2. Replace the original SSL certificate with the new SSL certificate on your client. Then, restart the client.
  3. On the Instance Details page in the console, change the value of the SSL Certificate Key Size (Bits) parameter to 4096. For more information, see Modify configurations for messages.