Hi Rajini This was very helpful. I have another questions on similar lines.
We host Kafka Broker, and we also have our own private CA. We want our customers to setup their Kafka Clients (Producer and Consumer) using SSL using *ssl.client.auth=required*. Is there a way, we can generate certificate for our clients, sign it using our private CA, and then hand over our customers these two certificates (1. ca-cert 2. cert-signed), which if they add to their keystroke and truststore, they can send message to our Kafka brokers while keeping *ssl.client.auth=required*. We are looking to minimize our customer's pre-setup steps. For example in normal scenario, customers will need to generate certificate, and hand over their certificate request to our private CA, which we then sign it, and send them signed certificate and private CA's certificate. So there is one round trip. Just wondering if we can reduce this 2 step into 1 step. Thanks. On Fri, May 12, 2017 at 8:53 AM, Rajini Sivaram <rajinisiva...@gmail.com> wrote: > Raqhav, > > 1. Clients need a keystore if you are using TLS client authentication. To > enable client authentication, you need to configure ssl.client.auth in > server.properties. This can be set to required|requested|none. If you don't > enable client authentication, any client will be able to connect to your > broker. You could alternatively use SASL for client authentication. > . > 2. Client keystore is mandatory if ssl.client.auth=required, optional for > requested and not used for none. The truststore configured on the client is > used to authenticate the server. So you have to provide it unless your > broker is using certificates signed by a trusted authority. > > Hope that helps. > > Rajini > > On Fri, May 12, 2017 at 11:35 AM, Raghav <raghavas...@gmail.com> wrote: > > > Hi > > > > I read the documentation here: > > https://kafka.apache.org/documentation/#security_ssl > > > > I have few questions about trust store and keystore based on this > scenario: > > > > We have 5 Kafka Brokers in our cluster. We want our clients to write to > our > > Kafka brokers in a secure way. Suppose, we also host a private CA as > > mentioned in the documentation above, and provide our clients the > *ca-cert* > > file, which they add it to their trust store. > > > > 1. Do we require our clients to generate their certificate and have it > > signed by our private CA, and add it to their keystore? > > > > 2. When is keystore used by clients, and when is truststore used by > clients > > ? > > > > > > Thanks. > > > > -- > > R > > > -- Raghav
