Skip to main content

Renew and acknowledge service user SSL certificates

Aiven for Apache Kafka® automatically generates a new SSL certificate for service users about three months before the existing certificate's expiration date. This new certificate includes a renewed private key.

SSL certificate renewal schedule

SSL certificates for Aiven for Apache Kafka® services are valid for 820 days, approximately two years, and three months. This renewal involves regenerating the SSL certificate and its private key to enhance security. Renewal notifications are sent to project administrators, operators, and technical contacts. The current certificate stays valid until expiration to ensure a smooth transition.

Download the new SSL certificates

Once renewed, you can download the new SSL certificate from the Aiven Console, Aiven API, or Aiven CLI.

If your Aiven for Apache Kafka service has a certificate about to expire, the Aiven Console will display a notification on the service page, prompting you to download the new certificate.

Apache Kafka service user SSL certificate expiring message

To download the new certificate,

  1. Access the Aiven Console.
  2. Select your Aiven for Apache Kafka service.
  3. Click Users in the sidebar.
  4. Select the required user and click Show access key and Show access cert to download the new certificate.

Apache Kafka service user SSL certificate and access key download

note

You can also use the Aiven CLI command avn service user-creds-download to download the renewed SSL certificate and key.

Acknowledge new SSL certificate usage

Confirm that the new certificate is in use to stop receiving notifications about certificate expiration.

To acknowledge the new SSL certificate with the Aiven Console:

  • Select ... next to the certificate.
  • Select Acknowledge certificate.
note

You can also use the Aiven CLI command avn service user-creds-acknowledge to acknowledge the user credentials. Similarly, the Aiven API provides a way to acknowledge the new SSL certificate through the Modify service user credentials endpoint:

curl --request PUT \
--url https://api.aiven.io/v1/project/<project>/service/<service>/user/<username> \
--header 'Authorization: Bearer <bearer token>' \
--header 'content-type: application/json' \
--data '{"operation": "acknowledge-renewal"}'

Turn off certificate expiration notifications for SASL services

When using SASL authentication in Aiven for Kafka services, you might still receive certificate expiration notifications, even if your service doesn't use certificates for authorization. Aiven updates certificates across all services to maintain security standards, which includes services that combine TLS encryption with SASL authentication.

To turn off these notifications:

  1. Access the Aiven Console.
  2. Select your Aiven for Apache Kafka service.
  3. Click Service settings from the sidebar.
  4. Scroll to Advanced configurations, and click Configure.
  5. Click Add configuration options.
  6. Search for kafka_authentication_methods.certificate and disable it.