Configure TLS/SSL authentication for Kafka clients

Kafka supports TLS/SSL authentication (two-way authentication). Client configuration is done by setting the relevant security-related properties for the client.

The following steps demonstrate configuration for the console consumer or producer. If you are configuring a custom developed client, see Java client security examples or .Net client security examples for code examples.

  • Generate or acquire a key and truststore for your clients which contain all necessary keys and certificates.
  • Note down the locations and passwords for the key and truststores. You will need to provide these during configuration.
  • If the Certificate Authority of the client certificates is different from the Certificate Authority of the broker certificates, ensure the client Certificate Authority certificate is added to the truststore of the Kafka brokers.

    Otherwise, the broker will not trust the certificates used by its clients and a trusted connection will not be established.

  1. Create a .properties file.
    In this example the file is named
  2. Add the mandatory properties to the file.
    The following configuration example contains all mandatory properties:
    ssl.truststore.location=[***PATH TO CLIENT TRUSTSTORE***]
    ssl.keystore.location=[***PATH TO CLIENT KEYSTORE***]
  3. (Optional) Add additional properties.
    Depending on your requirements and broker configuration, other configuration properties might also be needed. The following are some of the most commonly used optional properties:
    • ssl.provider
    • ss.cipher.suites
    • ssl.enabled.protocols
    • ssl.truststore.type
    • ssl.keystore.type
  4. Run the client.
    Console Consumer
    kafka-console-producer --bootstrap-server [***HOST1:PORT1***] --topic [***TOPIC***] --producer.config
    Console Producer
    kafka-console-consumer --bootstrap-server [***HOST1:PORT1***] --topic [***TOPIC***] --consumer.config
Kafka clients are configured for TLS/SSL authentication.