Upcoming Apache Kafka on Heroku CA Certificate Rotation starting July 31, 2017

Change effective on 17 July 2017

Heroku needs to rotate the CA certificates involved in authentication from time to time, in order to keep services secure and up to date. A rotation of this sort is due for the Kafka clusters managed by Heroku.

The KAFKA_TRUSTED_CERT environment variable used when connecting to an Apache Kafka cluster will start containing multiple PEM encoded certificates on July 31st, 2017. Starting two weeks after that, the week of August 14th, clusters will start undergoing Certificate Authority (CA) certificate rotation.

Please refer to our Dev Center documentation to understand how various client libraries should handle this.

Here is the full timeline:

  • Beginning the week of July 31st 2017: clusters will receive two certificates in the KAFKA_TRUSTED_CERT config var. This is only a config var change, but is necessary to ensure that certificates can be rotated without a large potential impact to your application.
  • Beginning the week of August 14th 2017: clusters will undergo CA certificate rotation. During this time, the KAFKA_TRUSTED_CERT, KAFKA_CLIENT_CERT and KAFKA_CLIENT_CERT_KEY config vars will receive updates, and the clusters will receive rolling broker restarts.

To best handle these changes, ensure that your application: