Update tls_utils.sh to Support CA Bundles (Multiple Certificates)

[m2khosravi]

Description

The current tls_utils.sh script is designed to import a single CA certificate into the truststore using keytool.

However, a CA certificate may eventually be a bundle containing multiple certificates (e.g., a root CA plus intermediates). With the current implementation, if a CA bundle is provided, only one certificate might be imported, potentially causing TLS handshake errors if the entire chain isn’t trusted.

The suggestion is to dynamically detect whether the CA certificate file contains one or multiple certificates by modifying the script. That way we are making sure Kafka loads all Certificate Authorities (CAs) from the CA bundle into the truststore.

[scholzj]

Strimzi works fine with multi-level CAs. So if you think there is a problem, you should be more explicit about what it is.

[m2khosravi]

Thank you for your input. I understand that Strimzi in general handles multi-level CAs properly. my concern is specifically with how the tls_utils.sh script processes the CA file. Currently, it uses a single keytool command, which assumes a single certificate. If someone supplies a CA bundle (with a root plus intermediates), that single command might import only one certificate. This could lead to an incomplete truststore, which in turn might cause TLS handshake issues if intermediate certificates are required for proper chain validation.

Could you please clarify if the current design expects the CA file provided to tls_utils.sh to always be a single certificate? If not, would it be acceptable to enhance the script to detect multiple certificates?

[scholzj]

I understand that Strimzi in general handles multi-level CAs properly.

If Strimzi works with multi-level CA, what are you concerned about? You should start by explaining what exactly is the problem you have before proposing fixes for it.

[m2khosravi]

here is a related topic I found your suggestion and work has been done related to that,

Thanks