A few things to check: 1. Client trust store need to trust the server cert's issuer cert (AKA the CA cert) 2. The client must have a keystore that can be trusted by server's trust store. 3. The server needs to be accessed either via FQDN, or one of the SAN address. If you are doing self sign, you can add many DNS alias and even ip addresses to the server's cert. 4. Make sure the server cert has extended key usage of serverAuth, client cert has extended key usage of clientAuth. Actually you can have both - if you are generating yourself.
[image: Confluent] <https://www.confluent.io> Wu Shilin Solution Architect +6581007012 Follow us: [image: Blog] <https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog>[image: Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn] <https://www.linkedin.com/company/confluent/>[image: Slack] <https://slackpass.io/confluentcommunity>[image: YouTube] <https://youtube.com/confluent> [image: Kafka Summit] <https://www.kafka-summit.org/> On Thu, Jun 24, 2021 at 12:37 AM Anjali Sharma <sharma.anjali.2...@gmail.com> wrote: > Hi All, > > While trying for mtls ssl.client.aut=required, From Client side we are > seeing some junk certificates which we have not imported on the client > side? > > Please help with this? > > Thanks & Regards > > Anjali >
