Strimzi
Replies: 1 comment 2 replies
-
|
You should likely use the custom authentication for that, where you can configure the truststore in any way you want. |
Beta Was this translation helpful? Give feedback.
2 replies
-
|
does this truststore is to authenticate kafkausers having different certs kafkauser1: kafkauser2: |
Beta Was this translation helpful? Give feedback.
-
|
I think it should. It is really just passed to Kafka as |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
I’ve configured my Kafka cluster such that the generation of client certificates by Strimzi is disabled. Instead, I’ve provided my own CA material — specifically, a custom ca.crt and ca.key — under the client CA section.
In this setup, instead of a single root CA, I’ve included multiple root certificates within the ca.crt file and used the tls-external listener for clients to present their certificates during authentication.
When there’s a single CA chain, everything works fine — client connections establish successfully. However, when multiple root CAs are included in the client CA bundle, client authentication fails with a “post-handshake error” during the SSL handshake.
I’d like to clarify:
• Does Strimzi’s Client CA support multiple root certificates in the ca.crt chain?
• Or does it always expect and validate against a single active certificate chain for client authentication?
Any insights or documentation references would be appreciated.
Beta Was this translation helpful? Give feedback.
All reactions