Skip to content

Allow Kafka-UI container to use Kafka certificates directly (.key, .cert, .ca) without manual Java keystore conversion #1437

New issue
New issue
Open
Open
Allow Kafka-UI container to use Kafka certificates directly (.key, .cert, .ca) without manual Java keystore conversion#1437
Labels
status/triage/completedAutomatic triage completedstatus/triage/manualManual triage in progresstype/featureA brand new feature
@JulienBrunetDecathlon

Description

@JulienBrunetDecathlon
JulienBrunetDecathlon
opened on Oct 24, 2025

Issue submitter TODO list

  • I've searched for an already existing issues here
  • I'm running a supported version of the application which is listed here and the feature is not present there

Is your proposal related to a problem?

Currently, when connecting Kafka-UI to a Kafka cluster that uses SSL authentication, the certificates must be manually converted into Java-compatible formats (JKS or PKCS12).
For example, when using certificates like:

  • service.key
  • service.cert
  • ca.pem

Describe the feature you're interested in

Title

Allow Kafka-UI container to use Kafka certificates directly (.key, .cert, .ca) without manual Java keystore conversion

Description

Hi 👋

Currently, when connecting Kafka-UI to a Kafka cluster that uses SSL authentication, the certificates must be manually converted into Java-compatible formats (JKS or PKCS12).
For example, when using certificates like:

  • service.key
  • service.cert
  • ca.pem

We have to run commands such as:

subprocess.check_call([
    "keytool", "-importcert",
    "-alias", "Aiven CA",
    "-keystore", "client.truststore.jks",
    "-storepass", PASSWORD,
    "-file", "ca.pem",
    "-noprompt",
])
subprocess.check_call([
    "openssl", "pkcs12", "-export",
    "-out", "client.keystore.p12",
    "-inkey", "service.key",
    "-in", "service.cert",
    "-certfile", "ca.pem",
    "-passout", f"pass:{PASSWORD}",
])

and then configure Kafka-UI to use those JKS/PKCS12 files.

Feature request

Would it be possible to allow Kafka-UI to load .key, .cert, and .ca files directly (like most non-Java Kafka clients), without requiring conversion to JKS/PKCS12?

This would simplify integration, especially in containerized or automated setups (e.g., when Kafka-UI is deployed via Docker/Kubernetes), and would avoid running extra conversion steps before container startup.

Use case

When using managed Kafka services (like Aiven, Confluent, etc.), certificates are often provided in PEM format. Having native support for .key/.cert/.ca files would:

  • Simplify CI/CD and deployment pipelines
  • Reduce the need for keytool and openssl in custom init scripts
  • Improve developer experience

Environment

  • Kafka-UI version: e.g. v1.3.0
  • Deployment: Docker container
  • Kafka cluster: Aiven-managed Kafka

Would this be something feasible or planned in the roadmap?

Thanks a lot for your great work on Kafka-UI 🙏

Describe alternatives you've considered

No response

Version you're running

latest

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    status/triage/completedAutomatic triage completedstatus/triage/manualManual triage in progresstype/featureA brand new feature

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions