Raqhav, 1. Clients need a keystore if you are using TLS client authentication. To enable client authentication, you need to configure ssl.client.auth in server.properties. This can be set to required|requested|none. If you don't enable client authentication, any client will be able to connect to your broker. You could alternatively use SASL for client authentication. . 2. Client keystore is mandatory if ssl.client.auth=required, optional for requested and not used for none. The truststore configured on the client is used to authenticate the server. So you have to provide it unless your broker is using certificates signed by a trusted authority.
Hope that helps. Rajini On Fri, May 12, 2017 at 11:35 AM, Raghav <raghavas...@gmail.com> wrote: > Hi > > I read the documentation here: > https://kafka.apache.org/documentation/#security_ssl > > I have few questions about trust store and keystore based on this scenario: > > We have 5 Kafka Brokers in our cluster. We want our clients to write to our > Kafka brokers in a secure way. Suppose, we also host a private CA as > mentioned in the documentation above, and provide our clients the *ca-cert* > file, which they add it to their trust store. > > 1. Do we require our clients to generate their certificate and have it > signed by our private CA, and add it to their keystore? > > 2. When is keystore used by clients, and when is truststore used by clients > ? > > > Thanks. > > -- > R >
