All traffic to Aiven services is always protected by TLS (SSL).  TLS ensures that third-parties can't eavesdrop or modify the data while it's in transit between the Aiven services and clients accessing the services.

Every Aiven project has its own private Certificate Authority which is used to sign certificates that are used internally by the Aiven services to communicate between different cluster nodes and to Aiven management systems.  It's possible to download the project's CA certificate from the Aiven web console in the service view (click Show CA certificate) and establish the trust by setting up your browser or client to trust that certificate.

The certificates and certificate authorities that are used in client-facing services vary between different service types and plans as follows:

PostgreSQL

All server certificates are always signed by the Aiven project CA.

Kafka

Direct Kafka access over the Kafka protocol always uses Aiven project specific CA certificate in the backend and requires a valid client certificate to be used.  The CA and client certificates can be downloaded from the Aiven console.

Kafka-REST, Schema Registry and Connect always use browser-recognized recognized certificates. 

Elasticsearch

Both the Kibana frontend and Elasticsearch backend by default use browser-recognized certificates.

Old services may be using Aiven project CA for Elasticsearch backend. It can be switched to browser-recognized one if required by sending a support request. No automatic switching between different types of certificates is performed.

Grafana

Grafana uses a browser-recognized certificate.

InfluxDB

InfluxDB by default uses browser-recognized certificate.

Old services may be using Aiven project CA. It can be switched to browser-recognized one if required by sending a support request. No automatic switching between different types of certificates is performed.

Redis

Redis by default uses browser-recognized certificate.

Old services may be using Aiven project CA. It can be switched to browser-recognized one if required by sending a support request. No automatic switching between different types of certificates is performed.

Did this answer your question?