Hello, i have my test/development certficates created for X509 request extensions and SAN names cover:
DNS.1 localhost > DNS.2 *.testsystem.net To make things more practical, I have used the advertised.listeners and listeners to ONLY SSL://localhost:9093. I have verified the certificates and can also confirm that with the following settings I can do some basic console producer/consumer test and see data received: security.inter.broker.protocol=SSL > ssl.keystore.location=/kafka_2.10-0.10.2.1/keys/kafka_server_keys.jks > ssl.keystore.password=youwish > ssl.key.password=youwish > ssl.truststore.location=/kafka_2.10-0.10.2.1/keys/kafka_truststore > ssl.truststore.password=youwish > ssl.endpoint.identification.algorithm=HTTPS > ssl.secure.random.implementation=SHA1PRNG > ssl.client.auth=required Since I have got a wildcard DNS name in SAN would I be able to use the same certificates for my brokers in test environment where they have FQDN as: host1.testsystem.net host2.testsystem.net In other words, if the clients do full hostname verification will this be accepted? I haven't managed to check the source file yet. I hope I have set it up correctly as it suggests in RFC - https://tools.ietf.org/html/rfc2818#section-3.1 Kindest Regards,
