Using custom certificates for MTLS in Strimzi Kafka

[logesh-g]

I am trying to bring up the Kafka cluster using Strimzi operator with MTLS configured for external clients. I have the CA certificates from Let's Encrypt. I also have the public certificate (issued by the CA) and private keys for my server and client. I am trying to follow the Strimzi documentation https://strimzi.io/docs/operators/latest/full/deploying.html#installing-your-own-ca-certificates-str.

Configuring the <cluster_name>-cluster-ca-cert and <cluster_name>-clients-ca-cert is clear. Since I have the CA certificates for both client and server I can configure.

But I am not sure how to configure the <cluster_name>-cluster-ca and <cluster_name>-clients-ca. Both of them needs private keys of the corresponding CA which is not available in my case as the CA is a third party. But without this my Kafka cluster is not coming up (as I have made generateCertificateAuthority as false for both clusterCa and ClientCa). I tried providing the private keys of server and client to <cluster_name>-cluster-ca and <cluster_name>-clients-ca respectively (though incorrect) and it did not work as expected. Strimzi operator tries to sign certificates using the private keys and it fails. I am now stuck at this point and not able to proceed with my MTLS configuration. I tried using the latest version of Strimzi operator (0.45.0).

Any help here would be greatly appreciated.

[scholzj]

You cannot use public CAs such as Let's Encrypt for the internal CAs. That is not how the public CA infrastructure and TLS work. If you want to use a public CA such as Let's Encrypt, you should get a server certificate from the public CA and use it as the custom listener certificate - it is described int he docs as well.

[logesh-g]

Thank you for the response. Could you please clarify if it is possible to configure only TLS with public CAs and MTLS is not possible. There is an option to specify the brokerCertChainAndKey, but I don't see an option to specify the trusted certificates for the server in case of MTLS. Not sure if I am missing something.

[scholzj]

No, public CAs are not suitable for mTLS (TLS client authentication). If you would do that, anyone with a Let's Encrypt certificate would be able to connect.

[logesh-g]

Thanks, Got it ! One final question. If we are configuring public CA for the listener, do we need to set the generateCertificateAuthority as false for both clusterCa and clientCa or it is not required? Please clarify

[scholzj]

The listener certificate is completely independent on the cluster and clients CA. So you do not need to set anything.

[logesh-g]

Thank you very much for clarifying :)