Some doubts on Strimzi mTLS Certificate Handling and Client Authentication

[vinay-ghate]

Hi all,
I am working on a project and using a custom mTLS service and I have a few specific questions regarding how Strimzi handles TLS/mTLS certificates for Kafka clients:

1. Per‑Client Certificate Generation
   Does Strimzi generate a unique certificate per Kafka client (via KafkaUser) and use it for mTLS authentication?

2. External CA Validation
   When a client connects with mTLS, can Strimzi forward the incoming certificate to an external Certificate Authority for validation during the TLS handshake?

3. Custom CA for Client Validation
   Does Strimzi support loading a custom CA certificate (instead of the Cluster CA) to validate client certificates during connection?

If possible can you tell me ways to use if possible?

[scholzj]

Re 1) Every KafkaUser hs its own certificate generated and signed by the Clients CA. (Please keep in mind that the trust is established based on the CA and there is no revocation mechanism. So the certificates would be valid until the CA is replaced or until they expire.)

Re 2) The actual mTLS authentication is done by Kafka. So if you know how to do this in Kafka, please provide some details and I can see if that is reasible in some way or not. But as far as I know, this is not something Kafka supports.

Re 3) The user mTLS has nothing to do with the Cluster CA. Only with the Clients CA. You can provide your own custom Clients CA if you want to.

[vinay-ghate]

Thanks for the clarification that helps a lot.
Based on your explanation I’ll explore the possible approaches on my side and see what fits our use case. Appreciate the guidance!