All Products
Search

This Product

    ApsaraMQ for Kafka:Update the SSL certificate algorithm

    Document Center

    ApsaraMQ for Kafka:Update the SSL certificate algorithm

    Last Updated:Mar 11, 2026

    ApsaraMQ for Kafka instances with Internet access use SSL certificates to encrypt client-broker communication. By default, the SSL certificate key size is 1,024 bits. To strengthen security, you can upgrade the key size to 4,096 bits.

    The upgrade is a two-phase process: first replace the certificate on all clients, then change the key size in the console.

    Important

    Replace the client certificate before you change the key size in the console. If you change the console setting first, clients that still use the old certificate cannot connect.

    Note

    Serverless instances use a 4,096-bit key size by default. This value cannot be changed. The following instructions apply only to non-serverless instances.

    Prerequisites

    Before you begin, make sure that you have:

    • An ApsaraMQ for Kafka instance with Internet access purchased and deployed, in the Running state

    • Access to the ApsaraMQ for Kafka console

    How it works

    When you enable Internet access on an ApsaraMQ for Kafka instance, the system initializes SSL-related ports and assigns an SSL certificate. You can view the current key size in the Configurations section of the Instance Details page.

    The upgrade from 1,024 bits to 4,096 bits involves two phases:

    1. Client-side -- Download a transition certificate that contains both the 1,024-bit and 4,096-bit certificates, deploy it to each client, and restart the clients.

    2. Server-side -- Change the SSL Certificate Key Size (Bits) parameter in the console to 4,096.

    The transition certificate (mix.4096.client.truststore.jks for Java, mix-4096-ca-cert for other languages) works with both key sizes. This means clients stay connected whether the console still shows 1,024 or has already been switched to 4,096.

    Step 1: Download the SSL certificate

    Select the certificate file that matches your deployment state and programming language.

    Java clients

    Current stateCertificate fileDescription
    New instance (not yet deployed)only.4096.client.truststore.jks4,096-bit certificate only
    Deployed instance with 1,024-bit keykafka.client.truststore.jks1,024-bit certificate
    Upgrading from 1,024 to 4,096 bitsmix.4096.client.truststore.jksBoth 1,024-bit and 4,096-bit certificates

    Non-Java clients

    Current stateCertificate fileDescription
    New instance (not yet deployed)only-4096-ca-cert4,096-bit certificate only
    Deployed instance with 1,024-bit keyca-cert.pem1,024-bit certificate
    Upgrading from 1,024 to 4,096 bitsmix-4096-ca-certBoth 1,024-bit and 4,096-bit certificates

    For non-Java certificate download links, see the "SDKs" section in Overview.

    Note

    For a key size upgrade, use the mix certificate. It supports both 1,024-bit and 4,096-bit key sizes, so clients remain connected throughout the migration.

    Step 2: Replace the certificate and restart clients

    1. Copy the downloaded certificate file to the SSL certificate directory on your client.

    2. Update the client configuration to reference the new certificate file. Java clients -- Set the ssl.truststore.location property in your Kafka client configuration: Non-Java clients -- Point to the new CA certificate file. For example, for Python clients using confluent-kafka:

         ssl.truststore.location=/path/to/mix.4096.client.truststore.jks
         conf = {
       'bootstrap.servers': '<your-endpoint>',
       'security.protocol': 'SSL',
       'ssl.ca.location': '/path/to/mix-4096-ca-cert',
   }

    3. Restart the client to load the new certificate.

    4. Repeat steps 1--3 for all clients that connect to the instance over the Internet.

    Note

    Verify that each client can produce and consume messages after restarting. Confirm all clients are working before you proceed to Step 3.

    Step 3: Change the key size in the console

    After all clients use the new certificate:

    1. Log in to the ApsaraMQ for Kafka console.

    2. Open the Instance Details page for your instance.

    3. In the Configuration Information section, change the value of SSL Certificate Key Size (Bits) to 4096. For detailed instructions, see Modify message configurations.

    Step 4: Verify the update

    1. On the Instance Details page, confirm that the SSL Certificate Key Size (Bits) value is 4096 in the Configurations section.

    2. Check that all clients can produce and consume messages without errors.

    3. (Optional) If you used the mix transition certificate, you can replace it with the only.4096.client.truststore.jks (Java) or only-4096-ca-cert (non-Java) certificate to remove the legacy 1,024-bit certificate from your clients.