Support multiple CAs in the Clients CA secret
See original GitHub issueToday, we officially support only a single Clients CA (=> since public CA in the Kafka truststore). However, sometimes, users are interested in using multiple CAs at the same time. We never designed for it. But it works when you just add multiple CRT files into the Clients CA secret. E.g. ca.crt
and ca-2.crt
. This of course does not work with User Operator and type: tls
authentication. But it works fine for users with type: tls-external
. We should consider if we want to support this officially. In that case, we should document it and add STs to make sure we keep this working. And decide if we need something more with regards to rolling etc.
One of the examples where this was discussed is #6559
Issue Analytics
- State:
- Created a year ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
Using Multiple Root Certificates | Couchbase Docs
Couchbase Server supports use of multiple CA (or 'root') certificates, for a single cluster.
Read more >X.509 Certificate Management with Vault - HashiCorp
Vault only allows one CA certificate per secrets engine. If you want to issue certificates from multiple CAs, mount the PKI secrets engine ......
Read more >Chapter 73. Restricting an application to trust only a subset of ...
By configuring other services to accept certificates only issued by sub-CA B, you prevent them from accepting certificates issued by sub-CA A, the...
Read more >Kubernetes certificate based mutual auth with different CAs
You can have the client and the server certificates issued by the same CA or as shown below by different CAs. mutual-auth.png. Configuring...
Read more >Managing TLS and trusted CA certificates - Pexip Infinity Docs
However, many CAs do not sign with their root certificate, ... Web browsers and other clients typically have a list of CA certificates...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
There is no update on this. I do not think this issue depends on the existing proposal about CA abstraction, I think it can be worked on separately as well.
The start for this would be to write a proposal of how it could be implemented. You can check some of the existing proposals to see how the look like and what they contain: https://github.com/strimzi/proposals … you can basically just open the PR there with the proposal.
I would be a bit careful about mixing a custom CA with Strimzi managed CA. I think that in general increase the risks of things breaking, overwriting each other etc. I also wonder if it matches any use-cases for this. What would be the use case for the mixed CAs like that? But if you think it ia possible, then it can be of course part of the proposal.