SSL Certificate for Cloud

[mlapaglia]

Description

Is there a way to give the client a HTTP link to download the certificate from, or a way to pass the certificate in manually as a string? I am having issues with this certificate across our build server and containers using different operating systems trying to reference a filepath.

https://github.com/confluentinc/confluent-kafka-dotnet/blob/master/examples/ConfluentCloud/Program.cs#L56

Checklist

Please provide the following information:

• [ ] A complete (i.e. we can run it), minimal program demonstrating the problem. No need to supply a project file.
• [ ] Confluent.Kafka nuget version.
• [ ] Apache Kafka version.
• [ ] Client configuration.
• [ ] Operating system.
• [ ] Provide logs (with "debug" : "..." as necessary in configuration).
• [ ] Provide broker log excerpts.
• [ ] Critical issue.

[mhowlett]

there's work going on to integrate with windows cert store, but that doesn't sound like it's relevant unless it includes the ability to pass the cert as a string: https://github.com/edenhill/librdkafka/issues/1770

... so you'd need to build that yourself and use a temp file. I'm not sure why we don't allow certs to be specified as a string, seems useful.

cc: @edenhill

[danzman9]

I also have this issue, where I have SSL cert on a windows cert store, but not on file. Is there an update to this issue? Or can somewhat please provide detailed steps to a work around?

[edenhill]

We're currently wrapping up support for in-memory keys & certs as well as default integration with the Windows Root certificate store. PR is here: https://github.com/edenhill/librdkafka/pull/2309

We'll publish a release candidate in a week or two which we'd be very happy if you'd like to try out.

[danzman9]

Thank you for your response and effort. I'm struggling to follow the complexity of that PR. I can pull my x509 from my cert store programmatically. Is there any support in the current release for connection if I have my cert info in memory. For example I can get the private and public keys in XML string format. Will that allow the producer to connect? (On a side note we have the producer talking to the broker fine using a different client package so I know my certs are setup correctly, but I'm trying to switch to confluent-kafka).

[edenhill]

The current release only supports on-disk certs&keys. The future release with that PR merged will support in-memory certs&keys (PEM, DER, PKCS#12) as well as default reading of CA certs from the Windows Root store.

You will not be able to use XML formatted keys/certs, if you want to use something non-binary, use PEM.

[denissoloviy]

Hi!

What is the status of implementing the support of in-memory and Windows Root store certificates? Is there a possibility to use an in-memory CA certificate string in PEM format, not only keys?

Also, is there some page with instructions on how to read a CA certificate from the Windows Root store?

[edenhill]

@denisivan0v it is available in version 1.1.0 and later, see https://github.com/edenhill/librdkafka/releases/v1.1.0

[denissoloviy]

Ok, thanks!

But the main question is: Is there a possibility to use an in-memory CA certificate string in PEM format, not only keys?