NetApp Closes Acquisition of Instaclustr Read the announcement

Configure the Keystore to Use Client ⇄ Broker Encryption & Mutual Authentication (mTLS) For Apache Kafka® Client


This article describes how to configure a local keystore to enable Apache Kafka clients to connect to the cluster with Client Broker Encryption & Mutual Authentication (mTLS) and a connection example. 


  • You must have a Kafka cluster with mTLS enabled – see documentation for more help with this. 
  • You must have the signed user certificates available – see documentation for more help with this. 
  • You must allow the client IP to connect to the mTLS ports through your cluster firewall – see documentation for more help with this. 
  • You have keytool, a key and certificate management utility which is bundled with the Java Development Kit (JDK). For more information refer to the keytool documentation. Another tool or service could be used instead as many options are available. 

Configuring the Keystore to Use mTLS Authentication with Apache Kafka Clients 

  1. Add the cluster CA X.509 certificate to the keystore. Ensure it is the same the keystore used while creating the certificate signing request. An example code snippet for this using keytool in a terminal is as follows

    For more information on where to find the CA X509 certificate, refer to the instructions here. 
  2. For instructions on how to generate the signed certificate, please refer to the instructions here. Add the signed client certificate to the keystore. An example code snippet for this using keytool in a terminal is as follows

Example Connection 

Now that you have the keystore set up to connect to your Kafka cluster, a range of connection examples are available on the Connection Information page using different connection methods. As an example, the following steps show how to connect a consumer and producer using the Kafka CLI.

  1. Download and unzip a copy of Kafka. Kafka can be downloaded from and choose appropriate version.  
  2. Create a configuration file (e.g. containing the following properties:
  3. Start a console producer using the following command 
  4. In a separate terminal, start a consumer with the following command
  5. Type “instaclustr” in the producer terminal and press Enter. Confirm that “instaclustr” is received in the consumer terminal. 

Additional Resources 

Refer to the following resources for further information on mTLS with Apache Kafka: 

By Instaclustr Support
Need Support?
Experiencing difficulties on the website or console?
Already have an account?
Need help with your cluster?
Contact Support
Why sign up?
To experience the ease of creating and managing clusters via the Instaclustr Console
Spin up a cluster in minutes