[ https://issues.apache.org/jira/browse/KAFKA-8336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rajini Sivaram resolved KAFKA-8336. ----------------------------------- Resolution: Fixed Reviewer: Manikumar > Enable dynamic update of client-side SSL factory in brokers > ----------------------------------------------------------- > > Key: KAFKA-8336 > URL: https://issues.apache.org/jira/browse/KAFKA-8336 > Project: Kafka > Issue Type: Improvement > Components: core > Affects Versions: 2.2.0 > Reporter: Rajini Sivaram > Assignee: Rajini Sivaram > Priority: Major > Fix For: 2.3.0 > > > We currently support dynamic update of server-side keystores. This allows > expired certs to be updated on brokers without a rolling restart. When mutual > authentication is enabled for inter-broker-communication > (ssl.client.auth=required), we dont currently dynamically update client-side > keystores for controller or transaction coordinator. So a broker restart (or > controller change) is required for cert update for this case. Since > short-lived SSL cert is a common usecase, we should enable client-side cert > updates for all client connections initiated by the broker to ensure that SSL > certificate expiry can be handled with dynamic config updates on brokers for > all configurations. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)