CA cert

[sreejesh123]

Hi I understand from our previous conversation that Strimzi uses self signed CA for cluster ca and client ca. is this created using openssl? or some other method? and as any other slef signed, I am assuming this self singed CA never expires?

[ppatierno]

Strimzi uses openssl to create the self signed CA for signing other server certificates (and clients one). The default validity is 1 year (365 days) but you can change it by setting Kafka.spec.clusterCa.validityDays or Kafka.spec.clientsCa.validityDays.
More info here in the doc: https://strimzi.io/docs/operators/latest/using.html#con-certificate-renewal-str

[sreejesh123]

Thanks you, is there any document which explains where and what all uses CLUSTER CA which is issued by OPENSSL? We want to make a use case to use Strimzi in our org, but cert management we need to get an apporval from Security Office , hence the request.

[ppatierno]

The link I just shared with you is part of a complete chapter in the doc talking about TLS certificates management. You can find all the info there.

https://strimzi.io/docs/operators/latest/using.html#security-str

Anyway the doc doesn't explain that it uses openssl which is an implementation detail.