Could we use our own signed certificate access proper Kafka resources

[barryzhounb]

Now I have replaced clients-ca-certs and client-ca with our own certificates, that means we use our own certificates as root CA for clients-ca.

We have an app that wants to connect Kafka with SSL mode. We sign app's CSR with our own certificates, then we obtain app's certificate and key that have been signed by our own certificates.

Under SSL mode, usually it needs to create a user and define ACL permissions, then this user can access connect Kafka via SSL and access proper resources. Now in our case, our app use its own signed certificates, doesn't use certificates that generated by Kafka user. My question is, could our app access proper Kafka resources?

[scholzj]

If you use the latest Strimzi version, you can use the type: tls-external authentication in the KafkaUser resource (assuming your certificates have the subject with CN only). You can also disable the user operator and just manage the ACLs or Quotas using the Kafka APIs of course.

[barryzhounb]

Hello @scholzj I have done verification for what you mentioned, it works well. Big thanks to you.

One more question to ask you. user's certificate is signed by clients-ca-cert, but in fact when user connects to Kafka broker, it is "Kafka broker" that perform authentication, kafka broker's root CA is cluster-ca-cert, I am confused for that? How Kafka broker authenticate against user who carries certificates that is signed by clients-ca-cert? Could you help elaborate it? Thanks.

[scholzj]

The Kafka brokers have the Clients CA certificate as well.

[barryzhounb]

You mean Kafka broker has add client-ca to truststore, correct?

[scholzj]

Yes, correct.

[barryzhounb]

make sense. thanks