https://community.cloudera.com/t5/Support-Questions/Kafka-with-SSL/m-p/234030#M195851 <P>It should be like this, in case only the brokers need to authenticate (one-way server side SSL auth) to the clients:</P><P>You need:</P><P>1. Client side: 1 keystore (client.truststore.jks) containing just the ca_cert you created and was used to sign the broker / server certificates</P><P>2. Server side: On each broker 1 keystore (server.keystore.jks) containing both the server specific certificate generated before, ( which should now be signed by the CA) and the certificate of the CA itself. </P><P>What is misleading in the Kafka documentation is the first step, where a keystore 'server.keystore.jks' is created in the very first step, only to export the unsigned cert from to actually sign it. This is not the same 'server.keystore.jks' as in 2. above as the it should not contain the unsigned broker cert anymore ! You don't necessarily need a keystore to create a certificate to sign, you can also just create a cert + key, have it signed and then import it into a new keystore. </P><P>Also, it makes more sense to me to copy the CA cert onto the brokers then moving it back-and-forth from server -&gt; CA node (to sign) -&gt; back to server (to import into final 'server.keystore.jks')</P><P>Hope it makes sense</P> Fri, 01 Sep 2017 04:37:48 GMT jknulst 2017-09-01T04:37:48Z