Skip to main content
Quick navigation

SSL/TLS configuration

Depending on the environment, Conduktor might need to access external services like Kafka clusters, SSO servers, database, or object-storage that require custom certificate for SSL/TLS communication.


Since version 1.8.0 Conduktor provides a mechanism inside the UI for managing custom certificates for Kafka, Kafka Connect and Confluent Schema Registry**

The following table gives you an overview of what's currently supported and which methods you can use to configure it:

  • From the UI (recommended). From Conduktor Platform, you can manage you certificates in a dedicated screen. You can also configure SSL authentication from the broker setup wizard
  • Volume mount. This method is only required if you have LDAPS. Do not use it for Kafka or Kafka components
Kafka ClustersSchema Registry / Kafka ConnectLDAPS, OIDC
SSL to secure data in transit✅ UI✅ UI🚫 UI
✅ Volume mount
SSL to authenticate the client✅ UI✅ UI🚫 Unsupported

Jump to:

Using the Conduktor Certificate Store

Since version 1.8.0 you can manage custom certificates for Kafka, Kafka Connect and Schema Registry. This enables you to import and parse the certificates as text or files. The supported file formats are:

  • .crt
  • .pem
  • .jks
  • .p12

Uploading certificates in the cluster configuration screen

Assuming you have appropriate permissions, you can add cluster configurations from within Admin. When you add the bootstrap server to your configuration, a check will be made to validate if the certificate is issued by a valid authority.


If the response indicates the certificate is not issued by a valid authority, you have two options:

  • Skip SSL Check: This will skip validation of the SSL certificate on your server. This is an easy option for development environments with self-signed certificates
  • Upload Certificate: This option will enable you to upload the certificate (.crt, .pem, .jks or .p12 files), or paste the certificate as text


Upon uploading the certificate, you should then see the green icon indicating connection is secure.


Adding certificates in the dedicated certificates screen

Provided you have permissions, you can also manage organization certificates via the Certificates tab within Admin.

Simply add all of your certificates by uploading them or pasting them as text. In doing this, the SSL context will be derived when you configure Kafka, Kafka Connect and Schema Registry connections.


Mounting Custom Truststore

Since version 1.5.0 Conduktor supports SSL/TLS connections using Java Truststore. The below details how to mount a custom truststore when starting Conduktor.

Create TrustStore (jks) from certificate in pem format

If you already have a truststore, you can ignore this step.

For that you need a keytool program that is usually packaged on JDK distributions and a certificate in PEM format (.pem or .crt).

keytool  \
-importcert \
-noprompt \
-trustcacerts \
-keystore ./truststore.jks \ # Output truststore jks file
-alias "" \ # Certificate alias inside the truststore (usually the certificate subject)
-file ./my-certificate-file.pem \ # Input certificate file
-storepass changeit \ # Truststore password
-storetype JKS

Configure custom truststore on Conduktor Platform

For that we need to mount the truststore file into the conduktor-platform container and pass the correct environment variables for locating truststore file inside the container and password if needed.

Assuming that truststore file is named truststore.jks with password changeit.
We mount truststore file into /opt/conduktor/certs/truststore.jks inside the container.

If run from docker :

 docker run --rm \
--mount "type=bind,source=$PWD/truststore.jks,target=/opt/conduktor/certs/truststore.jks" \
-e CDK_SSL_TRUSTSTORE_PATH="/opt/conduktor/certs/truststore.jks" \

From docker-compose :

version: '3.8'

image: conduktor/conduktor-platform:latest
- 8080:8080
- type: bind
source: ./truststore.jks
target: /opt/conduktor/certs/truststore.jks
read_only: true
CDK_SSL_TRUSTSTORE_PATH: '/opt/conduktor/certs/truststore.jks'

Client Certificate Authentication

This mechanism uses TLS protocol to authenticate the client. Other names include:

  • Mutual SSL, Mutual TLS, mTLS
  • Two-Way SSL, SSL Certificate Authentication
  • Digital Certificate Authentication, Public Key Infrastructure (PKI) Authentication

Using the UI (keystore method)

Your Kafka Admin or your Kafka Provider gave you a keystore file (.jks or .p12 format).

Click the "Import from keystore" button to select a keystore file from your filesystem. mtls-3a.png

Fill in the required keystore password and key password and click "Import".

You'll get back to the cluster screen with the content of your keystore extracted into Access key and Access certificate. mtls-4.png

Using the UI (Access key & Access certificate method)

Your Kafka Admin or your Kafka Provider gave you 2 files for authentication.

  • An Access key (.key file)
  • An Access certificate (.pem or .crt file)

Here's an example with Aiven: mtls-1.png

You can paste the 2 file's contents into Conduktor Platform, or alternatively import from keystore. mtls-2.png

Using Volume Mount (Alternate method)

You can mount the keystore file in Conduktor Platform:

version: '3.8'
image: conduktor/conduktor-platform:latest
- 8080:8080
- type: bind
source: ./keystore.jks
target: /opt/conduktor/certs/keystore.jks
read_only: true

And then from the UI, choose the SSL Authentication method "Keystore file is mounted on the volume" and fill in the required fields mtls-5.png