Configure TLS/SSL encryption for Kafka clients

Kafka supports TLS/SSL encrypted communication with both brokers and clients. Client configuration is done by setting the relevant security-related properties for the client.

The following steps demonstrate configuration for the console consumer or producer. If you are configuring a custom developed client, see Java client security examples or .Net client security examples for code examples.

  • Generate or acquire a truststore containing the certificate of the Certificate Authority that issued the broker certificates.
  • Note down the location and password for the truststore. You will need to provide these during configuration.
  1. Create a .properties file.
    In this example the file is named
  2. Add the mandatory properties to the file.
    The following configuration example contains all mandatory properties:
    ssl.truststore.location= [***PATH TO CLIENT TRUSTSTORE***]
  3. (Optional) Add additional security properties to the file.
    Depending on your requirements and broker configuration, additional configuration properties might also be needed. The following are some of the most commonly used optional properties:
    • ssl.provider
    • ssl.cipher.suites
    • ssl.enabled.protocols
    • ssl.truststore.type
    • ssl.keystore.type
  4. Run the client.
    Console Producer
    kafka-console-producer --bootstrap-server [***HOST1:PORT1***] --topic [***TOPIC***] --producer.config
    Console Consumer
    kafka-console-consumer --bootstrap-server [***HOST1:PORT1***] --topic [***TOPIC***] --consumer.config
Kafka clients are configured for TLS/SSL encryption.