KIP-1117 — Support keystore with multiple alias entries
Discussion Security
Adds a new ssl.keystore.alias config that instructs the DefaultSslEngineFactory to select a specific key alias from a multi-entry keystore when constructing the SSLContext, rather than defaulting to the first entry. Keystores with multiple key entries caused SSL handshake failures or wrong-certificate authentication because Kafka had no mechanism to select a specific alias.
Details
| Author | Rahul Nirgude |
| Status | Discussion |
| Wiki | View on Apache Wiki |
| Created | 2024-11-27 |
| Last Modified | 2025-04-13 |
Explore how this KIP affects the Kafka protocol in the Protocol Explorer, or see the full KIP database.