Hi all, Recently I found a document error when configuring Pulsar client for TLS encryption. See https://github.com/apache/pulsar/issues/14762. However, the code example in the official documents is more intuitive.
See https://pulsar.apache.org/docs/en/security-tls-transport/#java-client, the example code doesn't configure `AuthenticationTls`, but it is required once TLS encryption is enabled, even if TLS authentication is not enabled. Because the client side can only send a SSL handshake via `AuthenticationTls`. It would be confused. Since the cert file and the key file are generated using a CA, whose path is specified by `tlsTrustCertsFilePath` method, I think it would be possible to generate a cert and a key file automatically. We only need to specify a common name, which represents the role when authentication is enabled. My initial design is, when client configures the `tlsTrustCertsFilePath`: - If no authentication plugin is enabled, generate the cert and key files automatically using a default common name. - Otherwise, use the cert and key files specified in `AuthenticationTls`. The benefit is, when you want to pass the TLS authentication, you must configure `AuthenticationTls` at client side, while you only needs to configure `tlsTrustCertsFilePath` if broker side only enables TLS encryption. What do you think? Is there a better solution? Thanks, Yunze
