[
https://issues.apache.org/jira/browse/KAFKA-13293?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17488714#comment-17488714
]
Elliot West commented on KAFKA-13293:
-------------------------------------
[~rsivaram] ^
> Support client reload of JKS/PEM certificates
> ---------------------------------------------
>
> Key: KAFKA-13293
> URL: https://issues.apache.org/jira/browse/KAFKA-13293
> Project: Kafka
> Issue Type: Improvement
> Components: clients, security
> Affects Versions: 2.7.0, 2.8.0, 2.7.1
> Reporter: Elliot West
> Priority: Major
>
> Producer/Consumer clients do not currently automatically reload certificates
> when the key stores were modified, or certificates expire. Currently one
> supplies key chains when instantiating clients only - there is no mechanism
> available to either directly reconfigure the client, or for the client to
> observe changes to the original properties set reference used in
> construction. Additionally, no work-arounds are documented that might given
> users alternative strategies for dealing with expiring certificates.
> Given that expiration and renewal of certificates is an industry standard
> practice, it could be argued that the current client certificate
> implementation is not fit for purpose. A mechanism should be provided such
> that clients can automatically detect, load, and use updated key chains from
> some abstracted source.
> Finally, It is suggested that in the short-term Kafka documentation be
> updated to describe any viable mechanism for updating client certs (perhaps
> closing existing client and then recreating?).
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
