configuring ssl connection

[arktq]

i'm a little bit confused with configuring ssl connection

i got a valid java keystore file with ssl-certificates chain inside (root-intermediate-client). but librdkafka does not support jks as valid storage of ssl-stuff. So am i understand right that i need to extract from jks both root and intermediate certificates as pem-formatted certs (then concat it into one file e.g. "chain.pem"), extract client's cert (also as pem), extract clinet's private key, than i should configure ssl-core of librdkafka like that:

  config.set("ssl.ca.location", "%path_to%/chain.pem");
    
  config.set("ssl.certificate.location", "%path_to%/client_cert");
    
  config.set("ssl.key.location", "%path_to%/client_key");
  config.set("ssl.key.password", "key_pass");

am i right?

i mean my question is what does "ssl.ca.location" exactly configuring: only root cert or full chain-cert (concated root-intermediate) or something else? Or maybe there is other (simpler\more common) way to deal with jks storage?

[edenhill]

I believe OpenSSL requires the full root chain to verify the broker's certificate.