|Table of Contents|
Current state: "Under Discussion" Accepted
Discussion thread: https://lists.apache.org/thread.html/r4e48ab3433c2a7d52c341dd309c1b3016b03fb82c7f2af99463f4166%40%3Cdev.kafka.apache.org%3E
- Add support for PEM files in addition to existing JKS/PKCS12 for key and trust stores. This enables use of third party providers that use PEM.
- Add new configurations to provide private key and certificates directly in PEM format without relying on files. This avoids the need to maintain and protect both Kafka config files and separate key store files.
- Support dynamic config updates of SSL private keys and certificates using Kafka protocol, without relying on a side channel for propagation of files.
- Support secret protection for SSL private keys through externalization or encryption, without also requiring to protect files on the file system.
- Protect PEM data using encryption when configured as dynamic configs, stored in ZooKeeper.
- Improve detection of certificate or private key change. We currently check file modification times since it is diffcult to determine if certs in JKS/PKCS12 have changed. We can do String comparison of PEM files instead.
- Avoid dependency on third party libraries in the default implementation.
- Include limited support for encrypted private keys in PEM format using standard Java libraries. Third party libraries like
bouncycastlecan be used to add custom
SslEngineFactoryimplementation to support wider range of options for loading encrypted keys.