[ https://issues.apache.org/jira/browse/KAFKA-13293?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17414227#comment-17414227 ]
Elliot West commented on KAFKA-13293: ------------------------------------- [~rsivaram] on point 2, would that actually work for clients though? I ask because it seems as though the \{{DefaultSslEngineFactory}} [already does this| https://github.com/apache/kafka/blob/99b9b3e84f4e98c3f07714e1de6a139a004cbc5b/clients/src/main/java/org/apache/kafka/common/security/ssl/DefaultSslEngineFactory.java#L102-L113]. > Support client reload of PEM certificates > ----------------------------------------- > > Key: KAFKA-13293 > URL: https://issues.apache.org/jira/browse/KAFKA-13293 > Project: Kafka > Issue Type: Improvement > Components: clients, security > Affects Versions: 2.7.0, 2.8.0, 2.7.1 > Reporter: Elliot West > Priority: Major > > Since Kafka 2.7.0, clients are able to authenticate using PEM certificates as > client configuration properties in addition to JKS file based key stores > (KAFKA-10338). With PEM, certificate chains are passed into clients as simple > string based key-value properties, alongside existing client configuration. > This offers a number of benefits: it provides a JVM agnostic security > mechanism from the perspective of clients, removes the client's dependency on > the local filesystem, and allows the the encapsulation of the entire client > configuration into a single payload. > However, the current client PEM implement has a feature regression when > compared with the JKS implementation. With the JKS approach, clients would > automatically reload certificates when the key stores were modified on disk. > This enables a seamless approach for the replacement of certificates when > they are due to expire; no further configuration or explicit interference > with the client lifecycle is needed for the client to migrate to renewed > certificates. > Such a capability does not currently exist for PEM. One supplies key chains > when instantiating clients only - there is no mechanism available to either > directly reconfigure the client, or for the client to observe changes to the > original properties set reference used in construction. Additionally, no > work-arounds are documented that might given users alternative strategies for > dealing with expiring certificates. Given that expiration and renewal of > certificates is an industry standard practice, it could be argued that the > current PEM client implementation is not fit for purpose. > In summary, a mechanism should be provided such that clients can > automatically detect, load, and use updated PEM key chains from some non-file > based source (object ref, method invocation, listener, etc.) > Finally, It is suggested that in the short-term Kafka documentation be > updated to describe any viable mechanism for updating client PEM certs > (perhaps closing existing client and then recreating?). -- This message was sent by Atlassian Jira (v8.3.4#803005)