On rereading the Kafka docs, it a about one and the same 'server.keystore.jks' on the brokers after all. The replacement of the initially generated unsigned broker cert by the signed version of that same cert is done by importing the signed cert with the same alias, which effectively overwrites the unsigned cert by the signed one.
... View more
