Last updated: 2026-06-25

Kafka TLS/SSL Configuration Guide

This guide provides recommended TLS/SSL settings for Apache Kafka to encrypt client-to-broker and broker-to-broker communication. Kafka uses Java's JSSE (Java Secure Socket Extension) for TLS, so certificates are managed through Java keystores.

Prerequisites

  • Apache Kafka 3.0 or later (Kafka 4.x is current)
  • Java 17 or later for brokers (Java 11 supported for clients and Streams)
  • SSL certificates in Java Keystore (JKS) or PKCS12 format

Certificate Setup

Kafka uses Java keystores for certificate management. You need a keystore (containing the broker's certificate and private key) and a truststore (containing the CA certificate).

Create a CA and Broker Keystore

Generate a keystore with a self-signed CA for testing, or import certificates from your CA:

# Generate a broker keystore with a new key pair
keytool -keystore /etc/kafka/ssl/kafka.server.keystore.jks \
    -alias kafka-broker -keyalg RSA -keysize 2048 \
    -genkey -validity 365 -storepass changeit \
    -dname "CN=kafka.example.com"

# Generate a CSR
keytool -keystore /etc/kafka/ssl/kafka.server.keystore.jks \
    -alias kafka-broker -certreq -file broker.csr -storepass changeit

# Sign with your CA (using openssl)
openssl x509 -req -in broker.csr -CA ca.crt -CAkey ca.key \
    -CAcreateserial -out broker-signed.crt -days 365

# Import the CA certificate into the keystore
keytool -keystore /etc/kafka/ssl/kafka.server.keystore.jks \
    -alias CARoot -importcert -file ca.crt -storepass changeit -noprompt

# Import the signed certificate
keytool -keystore /etc/kafka/ssl/kafka.server.keystore.jks \
    -alias kafka-broker -importcert -file broker-signed.crt -storepass changeit

Create a Truststore

keytool -keystore /etc/kafka/ssl/kafka.server.truststore.jks \
    -alias CARoot -importcert -file ca.crt -storepass changeit -noprompt

Using PKCS12 (Alternative)

Convert PEM files to PKCS12 format:

openssl pkcs12 -export -in broker.crt -inkey broker.key -chain -CAfile ca.crt \
    -out /etc/kafka/ssl/kafka.server.keystore.p12 -name kafka-broker -password pass:changeit

Broker Configuration

Add the following settings to server.properties.

Enable TLS Listener

Configure Kafka to listen on a TLS-encrypted port:

listeners=SSL://[::]:9093
advertised.listeners=SSL://kafka.example.com:9093

Binding to the IPv6 wildcard [::] listens dual-stack (both IPv6 and IPv4-mapped connections) on a standard Linux JVM, provided the broker is not started with -Djava.net.preferIPv4Stack=true.

To support both plaintext and TLS during migration:

listeners=PLAINTEXT://[::]:9092,SSL://[::]:9093

Keystore and Truststore

ssl.keystore.location=/etc/kafka/ssl/kafka.server.keystore.jks
ssl.keystore.password=changeit
ssl.key.password=changeit
ssl.truststore.location=/etc/kafka/ssl/kafka.server.truststore.jks
ssl.truststore.password=changeit
ssl.keystore.type=JKS
ssl.truststore.type=JKS

For PKCS12:

ssl.keystore.type=PKCS12
ssl.truststore.type=PKCS12

Protocol Versions

ssl.enabled.protocols=TLSv1.2,TLSv1.3
ssl.protocol=TLSv1.3
  • ssl.enabled.protocols lists all allowed TLS versions.
  • ssl.protocol sets the default protocol used when creating new SSL connections.

Cipher Suites

Configure strong cipher suites. Kafka uses JSSE (Java) cipher names:

ssl.cipher.suites=TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Client Authentication

To require clients to present a TLS certificate (mutual TLS):

ssl.client.auth=required

Other options:

  • required - Clients must present a valid certificate
  • requested - Clients are asked for a certificate but not required to present one
  • none - No client certificate verification

See RFC 8446 ยง4.3.2 for the TLS Certificate Request specification, and Wikipedia: Mutual authentication for a general overview.

Endpoint Identification

Enable hostname verification to prevent man-in-the-middle attacks:

ssl.endpoint.identification.algorithm=https

Inter-Broker TLS

Encrypt broker-to-broker communication within the cluster:

inter.broker.listener.name=SSL

Use inter.broker.listener.name (preferred) or security.inter.broker.protocol, but not both. When inter.broker.listener.name is set, security.inter.broker.protocol is ignored.

If using separate listeners for internal and external traffic:

listeners=INTERNAL://[::]:9093,EXTERNAL://[::]:9094
listener.security.protocol.map=INTERNAL:SSL,EXTERNAL:SSL
inter.broker.listener.name=INTERNAL

Controller TLS (KRaft Mode)

KRaft mode is required for all Kafka 4.0+ clusters (ZooKeeper mode was removed in Kafka 4.0). For clusters using KRaft mode, configure the controller listener:

controller.listener.names=CONTROLLER
listener.security.protocol.map=CONTROLLER:SSL,BROKER:SSL

# Controller SSL settings
listener.name.controller.ssl.keystore.location=/etc/kafka/ssl/kafka.server.keystore.jks
listener.name.controller.ssl.keystore.password=changeit
listener.name.controller.ssl.key.password=changeit
listener.name.controller.ssl.truststore.location=/etc/kafka/ssl/kafka.server.truststore.jks
listener.name.controller.ssl.truststore.password=changeit

Complete Broker Configuration

# Listeners
listeners=SSL://[::]:9093
advertised.listeners=SSL://kafka.example.com:9093

# Inter-broker
inter.broker.listener.name=SSL

# Keystore and truststore
ssl.keystore.location=/etc/kafka/ssl/kafka.server.keystore.jks
ssl.keystore.password=changeit
ssl.key.password=changeit
ssl.truststore.location=/etc/kafka/ssl/kafka.server.truststore.jks
ssl.truststore.password=changeit
ssl.keystore.type=JKS
ssl.truststore.type=JKS

# Protocol and ciphers
ssl.enabled.protocols=TLSv1.2,TLSv1.3
ssl.protocol=TLSv1.3
ssl.cipher.suites=TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

# Client authentication
ssl.client.auth=required
ssl.endpoint.identification.algorithm=https

Client Configuration

Producer/Consumer Properties

security.protocol=SSL
ssl.truststore.location=/path/to/client.truststore.jks
ssl.truststore.password=changeit
ssl.keystore.location=/path/to/client.keystore.jks
ssl.keystore.password=changeit
ssl.key.password=changeit
ssl.endpoint.identification.algorithm=https

Command-Line Tools

Test with the console producer:

kafka-console-producer.sh --bootstrap-server kafka.example.com:9093 \
    --topic test --producer.config /path/to/client-ssl.properties

Security Notes

Kafka uses Java's JSSE (Java Secure Socket Extension) for TLS. Vulnerability fixes are tied to the JDK version in use:

  • POODLE (CVE-2014-3566, 2014): SSL 3.0 disabled by default since Java 8u31 (January 2015). The recommended configuration explicitly excludes it.
  • BEAST (CVE-2011-3389, 2011): TLS 1.0 disabled by default since Java 8u292 / Java 11.0.11 (April 2021); excluded from the recommended configuration.
  • FREAK (CVE-2015-0204, 2015): EXPORT ciphers disabled by default since Java 8u40 (March 2015).
  • Sweet32 (CVE-2016-2183, 2016): 3DES disabled by default since Java 8u151 (October 2017); excluded from the recommended cipher list.
  • ROBOT (2017): Static RSA key exchange is excluded from the recommended configuration; only ECDHE is recommended.
  • Downgrade attacks: TLS_FALLBACK_SCSV supported since Java 8u31.
  • LOGJAM (CVE-2015-4000, 2015): DHE with weak keys excluded; only ECDHE is recommended.

The following are not addressable through TLS configuration alone:

  • Heartbleed (CVE-2014-0160, 2014): Not applicable. Java's JSSE is an independent TLS implementation not based on OpenSSL and was never affected by Heartbleed.
  • BREACH (CVE-2013-3587, 2013): Not applicable. BREACH targets HTTP-level response compression; the Kafka protocol does not involve HTTP response compression.
  • DROWN (CVE-2016-0800, 2016): Not applicable. Java's JSSE does not support SSLv2.

Verification

Check that the SSL listener is active:

openssl s_client -connect kafka.example.com:9093

Verify broker connectivity using kafka-broker-api-versions:

kafka-broker-api-versions.sh --bootstrap-server kafka.example.com:9093 \
    --command-config /path/to/client-ssl.properties

Check the broker logs for TLS handshake information:

grep -i ssl /var/log/kafka/server.log

Related Guides

RabbitMQ

Widely deployed open-source message broker.

ActiveMQ

Popular open-source message broker.

Mosquitto

Lightweight MQTT broker for IoT.

View all Message Brokers guides →

Configured TLS? Now Monitor It.

Generator Labs alerts you before certificates expire, get revoked, or fail chain validation, across HTTPS, SMTPS, IMAPS, LDAPS, and more.

Certificate Monitoring →