# Creating Certificates and Key Stores for Kafka TLS
This guide will help you create certificates and key stores for use with the Kafka TLS protocol. It involves setting up a private Certificate Authority (CA) and generating certificates for Kafka servers and clients.
## Step 1: Create a Private Certificate Authority (CA)
Generate a self-signed CA certificate to act as your own Certificate Authority.
```shell
openssl req -new -newkey rsa:4096 -days 365 -x509 -subj "/CN=Demo-Kafka" -keyout ca-key -out ca-cert -nodesGenerate a Kafka server certificate and store it in a KeyStore.
keytool -genkey -keystore kafka.server.keystore.jks -validity 365 -storepass password -keypass password -dname "CN=localhost" -storetype pkcs12Create a Certificate Signing Request (CSR) for the Kafka server certificate.
keytool -keystore kafka.server.keystore.jks -certreq -file cert-file -storepass password -keypass passwordSign the CSR with the CA to obtain a certificate for the Kafka server.
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-file-signed -days 365 -CAcreateserial -passin pass:passwordImport the CA certificate into the Kafka server's KeyStore.
keytool -keystore kafka.server.keystore.jks -alias CARoot -import -file ca-cert -storepass password -keypass password -nopromptImport the signed certificate into the Kafka server's KeyStore.
keytool -keystore kafka.server.keystore.jks -import -file cert-file-signed -storepass password -keypass password -nopromptImport the CA certificate into the Kafka server's TrustStore.
keytool -keystore kafka.server.truststore.jks -alias CARoot -import -file ca-cert -storepass password -keypass password -nopromptImport the CA certificate into the Kafka client's TrustStore.
keytool -keystore kafka.client.truststore.jks -alias CARoot -import -file ca-cert -storepass password -keypass password -noprompt