Re: Reg: Setting up strimzi kafka with own CA certs
toggle quoted message Show quoted text
FWIW I am in the process of rewriting the certificate handling to support more flexible CA hierarchies (and other things) for the "cluster CA" and "clients CA". It's still some way off a PR, but it would support having brokers trust a given root CA certificate (without access to the key), but issuing using an intermediate certificate, which sounds like what you want.
On Thu, Apr 15, 2021 at 5:10 PM Jakub Scholz <jakub@...> wrote:
Strimzi needs to issue the certificates for the different components to secure them. That is why it needs a CA which can do that. If you use server certificate to issue new certs, properly written applications should reject it. If you want to use a server certificate, you should check the listener certificates, where you can provide only a server certificate and it will be used only for a given listener but not to secure replication etc.: https://strimzi.io/docs/operators/latest/full/using.html#kafka-listener-certificates-strJakubOn Thu, Apr 15, 2021 at 3:00 PM Nag Raj <tsnagraj.08@...> wrote:Hi team,I was deploying strimzi kafka with own CA certs, my organization provides CA.crt, rootCA and intermediate CA. But in the strimzi documentation, to implement this scenario we need to have CA.Key as well which is not provided by my organization. Is there any way we can implement this use case without CA. Key. Thank you.Regards,Raj