[jira] (KAFKA-12703) Allow unencrypted private keys when using PEM files

Sat, 15 Nov 2025 02:40:08 -0800 


    [ https://issues.apache.org/jira/browse/KAFKA-12703 ]


    Ville deleted comment on KAFKA-12703:
    -------------------------------

was (Author: JIRAUSER280982):
What's the status on this issue? Any active development going on?

I can confirm, that it's possible to configure a client with unencrypted key 
through the newly added configuration options 'ssl.keystore.key', 
'ssl.keystore.certificate.chain' and 'ssl.truststore.certificates" in 
[KIP-651|https://cwiki.apache.org/confluence/display/KAFKA/KIP-651+-+Support+PEM+format+for+SSL+certificates+and+private+key],
 because 'ssl.key.password' is not enforced by validation then. But if you add 
the same key and certificates through 'ssl.keystore.location' and 
'ssl.truststore.location' while the types are set to 'PEM', the configuration 
validation enforces to add 'ssl.key.password'. By adding a value, e.g. even an 
empty string, for 'ssl.key.password', the default SSL engine proceeds to try to 
decrypt the key and eventually throwing an exception. By encrypting the same 
key with PKCS8 and providing a password, everything works.

Either the requirement for 'ssl.key.password' while using PEM-files should be 
removed, add a mechanism to recognize whether the key is encrypted or not or 
consolidate the behavior between the mechanisms of adding the key, i.e 
requiring an encrypted key always. In the current form the feature and its 
documentation is hard to interpret.

> Allow unencrypted private keys when using PEM files
> ---------------------------------------------------
>
>                 Key: KAFKA-12703
>                 URL: https://issues.apache.org/jira/browse/KAFKA-12703
>             Project: Kafka
>          Issue Type: Bug
>          Components: clients
>    Affects Versions: 2.8.0
>            Reporter: Brian Bascoy
>            Priority: Major
>             Fix For: 3.3.0
>
>
> Unencrypted PEM files seem to be internally [supported in the 
> codebase|https://github.com/apache/kafka/blob/a46beb9d29781e0709baf596601122f770a5fa31/clients/src/main/java/org/apache/kafka/common/security/ssl/DefaultSslEngineFactory.java#L509]
>  but setting an ssl.key.password is currently enforced by createKeystore (on 
> DefaultSslEngineFactory). I was unable to find a reason for this, so I wonder 
> if this limitation could simply be removed:
>  
> [https://github.com/pera/kafka/commit/8df2feab5fc6955cf8c89a7d132f05d8f562e16b]
>  
> Thanks



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to