Last updated: 2026-02-11

Kafka TLS/SSL Configuration Guide

This guide provides recommended TLS/SSL settings for Apache Kafka to encrypt client-to-broker and broker-to-broker communication. Kafka uses Java's JSSE (Java Secure Socket Extension) for TLS, so certificates are managed through Java keystores.

Prerequisites

• Apache Kafka 3.0 or later
• Java 11 or later (for TLS 1.3 support)
• SSL certificates in Java Keystore (JKS) or PKCS12 format

Certificate Setup

Kafka uses Java keystores for certificate management. You need a keystore (containing the broker's certificate and private key) and a truststore (containing the CA certificate).

Create a CA and Broker Keystore

Generate a keystore with a self-signed CA for testing, or import certificates from your CA:

# Generate a broker keystore with a new key pair
keytool -keystore /etc/kafka/ssl/kafka.server.keystore.jks \
    -alias kafka-broker -keyalg RSA -keysize 2048 \
    -genkey -validity 365 -storepass changeit \
    -dname "CN=kafka.example.com"

# Generate a CSR
keytool -keystore /etc/kafka/ssl/kafka.server.keystore.jks \
    -alias kafka-broker -certreq -file broker.csr -storepass changeit

# Sign with your CA (using openssl)
openssl x509 -req -in broker.csr -CA ca.crt -CAkey ca.key \
    -CAcreateserial -out broker-signed.crt -days 365

# Import the CA certificate into the keystore
keytool -keystore /etc/kafka/ssl/kafka.server.keystore.jks \
    -alias CARoot -importcert -file ca.crt -storepass changeit -noprompt

# Import the signed certificate
keytool -keystore /etc/kafka/ssl/kafka.server.keystore.jks \
    -alias kafka-broker -importcert -file broker-signed.crt -storepass changeit

Create a Truststore

keytool -keystore /etc/kafka/ssl/kafka.server.truststore.jks \
    -alias CARoot -importcert -file ca.crt -storepass changeit -noprompt

Using PKCS12 (Alternative)

Convert PEM files to PKCS12 format:

openssl pkcs12 -export -in broker.crt -inkey broker.key -chain -CAfile ca.crt \
    -out /etc/kafka/ssl/kafka.server.keystore.p12 -name kafka-broker -password pass:changeit

Broker Configuration

Add the following settings to server.properties.

Enable TLS Listener

Configure Kafka to listen on a TLS-encrypted port:

listeners=SSL://0.0.0.0:9093
advertised.listeners=SSL://kafka.example.com:9093

To support both plaintext and TLS during migration:

listeners=PLAINTEXT://0.0.0.0:9092,SSL://0.0.0.0:9093

Keystore and Truststore

ssl.keystore.location=/etc/kafka/ssl/kafka.server.keystore.jks
ssl.keystore.password=changeit
ssl.key.password=changeit
ssl.truststore.location=/etc/kafka/ssl/kafka.server.truststore.jks
ssl.truststore.password=changeit
ssl.keystore.type=JKS
ssl.truststore.type=JKS

For PKCS12:

ssl.keystore.type=PKCS12
ssl.truststore.type=PKCS12

Protocol Versions

ssl.enabled.protocols=TLSv1.2,TLSv1.3
ssl.protocol=TLSv1.3

• ssl.enabled.protocols lists all allowed TLS versions.
• ssl.protocol sets the default protocol used when creating new SSL connections.

Cipher Suites

Configure strong cipher suites. Kafka uses JSSE (Java) cipher names:

ssl.cipher.suites=TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Client Authentication

To require clients to present a TLS certificate (mutual TLS):

ssl.client.auth=required

Other options:

• required -- Clients must present a valid certificate
• requested -- Clients are asked for a certificate but not required to present one
• none -- No client certificate verification

Endpoint Identification

Enable hostname verification to prevent man-in-the-middle attacks:

ssl.endpoint.identification.algorithm=https

Inter-Broker TLS

Encrypt broker-to-broker communication within the cluster:

inter.broker.listener.name=SSL

Use inter.broker.listener.name (preferred) or security.inter.broker.protocol, but not both. When inter.broker.listener.name is set, security.inter.broker.protocol is ignored.

If using separate listeners for internal and external traffic:

listeners=INTERNAL://0.0.0.0:9093,EXTERNAL://0.0.0.0:9094
listener.security.protocol.map=INTERNAL:SSL,EXTERNAL:SSL
inter.broker.listener.name=INTERNAL

Controller TLS (KRaft Mode)

For Kafka clusters using KRaft mode (without ZooKeeper), configure the controller listener:

controller.listener.names=CONTROLLER
listener.security.protocol.map=CONTROLLER:SSL,BROKER:SSL

# Controller SSL settings
listener.name.controller.ssl.keystore.location=/etc/kafka/ssl/kafka.server.keystore.jks
listener.name.controller.ssl.keystore.password=changeit
listener.name.controller.ssl.key.password=changeit
listener.name.controller.ssl.truststore.location=/etc/kafka/ssl/kafka.server.truststore.jks
listener.name.controller.ssl.truststore.password=changeit

Complete Broker Configuration

# Listeners
listeners=SSL://0.0.0.0:9093
advertised.listeners=SSL://kafka.example.com:9093

# Inter-broker
inter.broker.listener.name=SSL

# Keystore and truststore
ssl.keystore.location=/etc/kafka/ssl/kafka.server.keystore.jks
ssl.keystore.password=changeit
ssl.key.password=changeit
ssl.truststore.location=/etc/kafka/ssl/kafka.server.truststore.jks
ssl.truststore.password=changeit
ssl.keystore.type=JKS
ssl.truststore.type=JKS

# Protocol and ciphers
ssl.enabled.protocols=TLSv1.2,TLSv1.3
ssl.protocol=TLSv1.3
ssl.cipher.suites=TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

# Client authentication
ssl.client.auth=required
ssl.endpoint.identification.algorithm=https

Client Configuration

Producer/Consumer Properties

security.protocol=SSL
ssl.truststore.location=/path/to/client.truststore.jks
ssl.truststore.password=changeit
ssl.keystore.location=/path/to/client.keystore.jks
ssl.keystore.password=changeit
ssl.key.password=changeit
ssl.endpoint.identification.algorithm=https

Command-Line Tools

Test with the console producer:

kafka-console-producer.sh --bootstrap-server kafka.example.com:9093 \
    --topic test --producer.config /path/to/client-ssl.properties

Verification

Check that the SSL listener is active:

openssl s_client -connect kafka.example.com:9093

Verify broker connectivity using kafka-broker-api-versions:

kafka-broker-api-versions.sh --bootstrap-server kafka.example.com:9093 \
    --command-config /path/to/client-ssl.properties

Check the broker logs for TLS handshake information:

grep -i ssl /var/log/kafka/server.log