Understanding mTLS: sequence diagram
When I was setting up Kafka with SSL I understood that without proper fundamental understanding of how mTLS works I couldn't blindly follow the examples available online, so I decided to go a bit dipper in understanding of how SSL and mTLS works on example of Kafka Connectivity.
If you are interested in how to generate and use Keystore/Truststore files, I explained it here in more details.
sequenceDiagram
participant Client as Kafka Client
participant Broker as Kafka Broker
participant CA as Certificate Authority
Note over Client, Broker: Both have certificates signed by a trusted CA
Note over Client: Uses keystore (client.keystore) for storing client certificate<br/>and truststore (client.truststore) for CA's public key
Note over Broker: Uses keystore (broker.keystore) for storing server certificate<br/>and truststore (broker.truststore) for CA's public key
Client->>Broker: Initiate TLS connection
Broker->>Client: Send server certificate (signed by CA)
Client->>CA: Verify server certificate against CA's public key
Note over Client: Client checks certificate validity, expiration, and hostname
alt Server certificate valid
Client->>Broker: Send client certificate (signed by CA)
Broker->>CA: Verify client certificate against CA's public key
Note over Broker: Broker checks certificate validity, expiration, and allowed client IDs
alt Client certificate valid
Broker->>Client: Send session key encrypted with client's public key
Client->>Client: Decrypt session key with client's private key
Broker->>Client: Accept connection
Client->>Broker: Begin Kafka communication (encrypted with session key)
else Client certificate invalid
Broker->>Client: Reject connection
end
else Server certificate invalid
Client->>Broker: Terminate connection
end