Aiven utilises TLS (SSL) to secure the traffic between its services and client's applications. This means that clients need to be configured with the right tools to be able to communicate with Aiven services. This article provides a guide on how to create a Java keystore and a truststore, which are necessary to access Aiven Kafka from a Java client.

Keystores and Truststores are generally password protected files that should be easily accessible to the client expected to interact with the service. As a starting point in creating a keystore, then a truststore, the following files are needed:

  • Access Key (service.key)

  • Access Certificate (service.cert)

  • CA Certificate (ca.pem)

All of them can be downloaded from the tab "Overview", which is present in every Aiven service.


Starting from service.key and service.cert, the keystore can be created by using the utility openssl. The format has to be PKCS12, the default since Java 9.

openssl pkcs12 -export -inkey service.key -in service.cert -out client.keystore.p12 -name service_key


The truststore uses the project certificate ca.pem in input. It can be created by using the keytool utility in the folowing way.

keytool -import -file ca.pem -alias CA -keystore client.truststore.jks

The files obtained are now ready to be included into the configuration of client applications.

Did this answer your question?