Axual Cloud CA change from DigiCert to Let’s Encrypt

Warning

Please read this notice carefully. Not following the guidelines could cause disruptions in your connection to Axual Cloud.

What is going to happen?

On November 17th starting from 10:00 AM, Axual Cloud brokers are going to switch to certificates issued by ISRG X1 (Let’s Encrypt). This is because the current certificate used by the brokers will expire on January 11th, 2026.

What do I need to do?

Any application interacting with the Kafka brokers needs to trust the new Certificate Authority (CA). This can be done by importing the "ISRG Root X1" certificate into the truststore of your application.

A truststore of an application typically can hold multiple CA’s, so you can prepare for the change in advance, by having both current and new CA in there.

What happens if I don’t do anything?

If you don’t ensure that ISRG X1 CA is in your application’s truststore, your application can (and probably will) lose access to the Kafka brokers because it doesn’t trust the issued certificate to the broker. Producing and consuming from any topics will stop immediately.

I am not ready, can you please postpone this change?

Please talk to your Kafka team if this is the case. If you don’t have or know the Kafka team in your organization, please create a support ticket.