All traffic to Aiven services is always protected by TLS (SSL).  TLS ensures that third-parties can't eavesdrop or modify the data while it's in transit between the Aiven services and clients accessing the services.

Every Aiven project has its own private Certificate Authority which is used to sign certificates that are used internally by the Aiven services to communicate between different cluster nodes and to Aiven management systems.  It's possible to download the project's CA certificate from the Aiven web console in the service view (click Show CA certificate) and establish the trust by setting up your browser or client to trust that certificate.

The certificates and certificate authorities that are used in client-facing services vary between different service types and plans as follows:

PostgreSQL

All server certificates are always signed by the Aiven project CA.

Kafka

Direct Kafka access over the Kafka protocol always uses Aiven project specific CA certificate in the backend and requires a valid client certificate to be used.  The CA and client certificates can be downloaded from the Aiven console.

Kafka-REST, Schema Registry and Connect always use browser-recognized recognized certificates. 

Elasticsearch

When using Hobbyist plan the certificates used by Elasticsearch backend and Kibana frontend always use certificates signed by the Aiven project CA.

For Startup, Business and Premium plans a browser-recognized certificate is used by default in the Kibana frontend.  The Elasticsearch backend uses a certificate signed by the Aiven project CA by default, but it can be switched to the browser-recognized one if required by sending a support request.

Grafana

The Hobbyist plan always uses a certificate signed by the Aiven project CA.
Startup plans use a browser-recognized certificate.

InfluxDB

A certificate signed by the Aiven project CA is used by default.  For Startup plans the certificate can be changed to a browser-recognized one by sending a support request.

Redis

All server certificates are always signed by the Aiven project CA.

Did this answer your question?