Providing your own Kafka listener certificates

[bj9306]

I am following below documentation to set up kafka listener certificate to re-use my existing certificates.

https://strimzi.io/docs/operators/latest/using.html#proc-installing-certs-per-listener-str

how can i generate truststore and keystore for my consumer?

ssl.truststore.location=
ssl.keystore.location=

[scholzj]

The listener certificates are about server certificates. So in the client, they only impact truststore. Keystore is needed only for TLS authentication. How to create the truststore depends on the formats you have. In general, you can use the Java keytool file to generate it (check the Java docu for the exact command). Or with newer Kafka version you can use the PEM files directly as well (check the Kafka docs for more details - I think it needs Kafka 2.7.0 and newer)

[bj9306]

Thanks for your reply. how is brokerCertChainAndKey different from ca-certs in -cluster-ca-cert? sorry i am just tying to understand the set up

[scholzj]

The Cluster CA is a CA -> it is used to sign the server certificates for all the different components including ZooKeeper etc. So it is not used just for the Kafka listeners. It is by default auto-generated as a self-signed CA. But you can provide your own. But if you provide your own, it has to be a CA (not necessarily root CA, but the CA certificate needs to be allowed to be used as CA).

The listener certificate is used only for the listener where you configure it - the replication or ZooKeeper communication will still use the Cluster CA. But thanks to this, you do not need to use a CA here but basically any server certificate can do. This makes it easier to use (and you can for example for external listeners use it with Let's Encrypt and other public CAs if you want to).