Configure Java SSL keystore and truststore to access Apache Kafka®#
Aiven for Apache Kafka® utilises TLS (SSL) to secure the traffic between its services and client applications. This means that clients must be configured with the right tools to be able to communicate with the Aiven services.
Keystores and truststores are password-protected files accessible by the client that interacts with the service. To create these files:
Log into the Aiven web console and select your Aiven for Apache Kafka service.
Download the Access Key, Access Certificate and CA Certificate. The resulting
service.key
,service.cert
andca.pem
are going to be used in the following steps.

Use the
openssl
utility to create the keystore with theservice.key
andservice.cert
files downloaded previously:
openssl pkcs12 -export \
-inkey service.key \
-in service.cert \
-out client.keystore.p12 \
-name service_key
Note
The format has to be PKCS12
, which is the default since Java 9.
Enter a password to protect the keystore and the key, when prompted
In the folder where the certificates are stored, use the
keytool
utility to create the truststore with theca.pem
file as input:
keytool -import \
-file ca.pem \
-alias CA \
-keystore client.truststore.jks
Enter a password to protect the truststores, when prompted
Reply to yes to confirm trusting the CA certificate, when prompted
The result are the keystore named client.keystore.p12
and truststore named client.truststore.jks
that can be used for client applications configuration.
Tip
You can use Aiven CLI avn service user-kafka-java-creds
to automate the creation of both the keystore and the truststore. Check the dedicated page for more details.