About TLS connection with SCRAM authentication

[bahaeddinoz]

Hello,
i would like to enable TLS and SCRAM authentication between producers, consumers and kafka brokers. When i enable it between brokers and consumers everthing looks good but i just wanted to see what happens when certificate renew happens therefore, renewed the certificates manually as mentioned here : https://strimzi.io/docs/operators/latest/deploying.html#certificates-and-secrets-str
after that operator restarted every components of strimzi-kafka. I still using the old certificates with my consumers but i am able to connect successfully. When i check if still i have old certificates on my secret no i have totally new ones. Do you have any idea what this can be happen?

[scholzj]

So, you used the strimzi.io/force-renew annotation? That renews the certificate. But keeps the old private key. So the old certificates signed with the same private key will keep working until they expire. If you want the old certificates to stop working, you can use the force-replace annotation. That is a bit more complicated as it has to roll the components at least twice. But it generates a new private key as well, so once the replacement if complete, the old certificates should not work anymore.

[bahaeddinoz]

oh ok. Let me test it. Thank you @scholzj 🙏

[bahaeddinoz]

it works. Thank you again @scholzj 🙏