ssl.truststore.location=/root/truststore.jks ssl.truststore.type=JKS
ssl.truststore.password=changeme ssl.keystore.location=/root/alice.jks ssl.keystore.type=JKS ssl.keystore.password=changeme security.protocol=SSL bootstrap.server=cp-kafka1:9093 ssl.endpoint.identification.algorithm=https This worked for me pretty well. Of course you need to generate those certs from open ssl. The trust store only contains the CA cert, the key store contains the keypair for alice (the user here). [image: Confluent] <https://www.confluent.io> Wu Shilin Solution Architect +6581007012 Follow us: [image: Blog] <https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog>[image: Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn] <https://www.linkedin.com/company/confluent/>[image: Slack] <https://slackpass.io/confluentcommunity>[image: YouTube] <https://youtube.com/confluent> [image: Kafka Summit] <https://www.kafka-summit.org/> On Thu, Jun 24, 2021 at 11:38 AM Anjali Sharma <sharma.anjali.2...@gmail.com> wrote: > Thanks for this info can you please share what all needs to be present on > the client side for mtls as in what all configuration are needed that side? > > Thanks > > On Thu, Jun 24, 2021, 07:51 Shilin Wu <s...@confluent.io.invalid> wrote: > > > A few things to check: > > > > 1. Client trust store need to trust the server cert's issuer cert (AKA > the > > CA cert) > > 2. The client must have a keystore that can be trusted by server's trust > > store. > > 3. The server needs to be accessed either via FQDN, or one of the SAN > > address. If you are doing self sign, you can add many DNS alias and even > ip > > addresses to the server's cert. > > 4. Make sure the server cert has extended key usage of serverAuth, client > > cert has extended key usage of clientAuth. Actually you can have both - > if > > you are generating yourself. > > > > > > > > [image: Confluent] <https://www.confluent.io> > > Wu Shilin > > Solution Architect > > +6581007012 > > Follow us: [image: Blog] > > < > > > https://www.confluent.io/blog?utm_source=footer&utm_medium=email&utm_campaign=ch.email-signature_type.community_content.blog > > >[image: > > Twitter] <https://twitter.com/ConfluentInc>[image: LinkedIn] > > <https://www.linkedin.com/company/confluent/>[image: Slack] > > <https://slackpass.io/confluentcommunity>[image: YouTube] > > <https://youtube.com/confluent> > > [image: Kafka Summit] <https://www.kafka-summit.org/> > > > > > > On Thu, Jun 24, 2021 at 12:37 AM Anjali Sharma < > > sharma.anjali.2...@gmail.com> > > wrote: > > > > > Hi All, > > > > > > While trying for mtls ssl.client.aut=required, From Client side we are > > > seeing some junk certificates which we have not imported on the client > > > side? > > > > > > Please help with this? > > > > > > Thanks & Regards > > > > > > Anjali > > > > > >
