I am trying to setup 2 way ssl authentication. My requirement is broker should authenticate only specific clients. My organization has a CA which issue all certificates in pkcs12 format. steps i followed are as follows.
1. get a certificate for the broker and configured it in the broker keystore ssl.keystore.location=/home/kafka/certificate.p12 ssl.keystore.password=xxxxx ssl.client.auth=required 2. get a certificate for the client and configured it in the client keystore ssl.keystore.location=/home/kafka/certificate.p12 ssl.keystore.password=xxxxx 3. extracted the public certificate from the client certificate using keytool command keytool -export -file cert -keystore certificate.p12 -alias "12345" -storetype pkcs12 -storepass xxxxx 4. imported the certificate into broker truststore. broker truststore contains only the client 12345 certificate. keytool -keystore truststore.p12 -import -file cert -alias 12345 -storetype pkcs12 -storepass xxxxx -noprompt 5. configured the truststore in the broker. ssl.truststore.location=/home/kafka/truststore.p12 ssl.truststore.password=xxxxx 6. configured the truststore in client. client truststore contains CA certificates. ssl.truststore.location=/etc/pki/java/cacerts ssl.truststore.password=xxxxx When i run the broker and client i expect the broker to authenticate the client and establish ssl connection. but instead following error is thrown. [2021-06-03 23:32:06,864] ERROR [AdminClient clientId=adminclient-1] Connection to node -1 (abc.com/10.129.140.212:9093) failed authentication due to: SSL handshake failed (org.apache.kafka.clients.NetworkClient) [2021-06-03 23:32:06,866] WARN [AdminClient clientId=adminclient-1] Metadata update failed due to authentication error (org.apache.kafka.clients.admin.internals.AdminMetadataManager) org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed Caused by: javax.net.ssl.SSLProtocolException: Unexpected handshake message: server_hello I tried various things but nothing seems to work. when i replace the broker truststore with /etc/pki/java/cacerts truststore file which contains only the CA certificate then it works fine. but it will authenticate any client which has certificate issued by the CA. what could be the issue ?
