apache-kafkastrimziapache-kafka-security

How to handle Kafka cluster CA certificate?


I have installed Strimzi Kafka and created TLS enabled cluster as follows:

    listeners:
      plain: {}
      tls:
        authentication:
          type: tls

The Kafka cluster CA certificate created automatically and looks like this:

Entry type: trustedCertEntry                                                                                                                                                                                                                                                                                                                                                                                                          
Owner: CN=cluster-ca v0, O=io.strimzi                                                                                                                                                                              
Issuer: CN=cluster-ca v0, O=io.strimzi                                                                                                                                                                             
Serial number: def376173b64bf84                                                                                                                                                                                    
Valid from: Tue Jan 26 23:25:07 MSK 2021 until: Wed Jan 26 23:25:07 MSK 2022                                                                                                                                       
Certificate fingerprints:                                                                                                                                                                                                   
SHA1: 4D:AA:27:0F:84:61:88:D0:B8:1C:CB:9A:DD:5F:D3:E8:3D:52:B4:65                                                                                                                                                  

The question is: what should I do after a year passed (as the certificate automatically created with 1 year period). I use TLS authentication for the clients (producers/consumers) -- and as a result I add this certificate to SSL truststore on the client side. What should I need on the client after a year passed? I guess update truststore with new cluster CA certificate?


Solution

  • The CA will be automatically renewed by Strimzi. You can just update your truststore and keep using your cluster. If you prefer, you can also provide your own certificate for the listener: https://strimzi.io/docs/operators/latest/full/using.html#kafka-listener-certificates-str or your own CA: https://strimzi.io/docs/operators/latest/full/using.html#installing-your-own-ca-certificates-str