TLS Basics, and Why There Are Three Certificate Files
TLS does two jobs: encryption and identity. Identity needs three files, not one. root_ca verifies them; certificate plus private_key proves you. Here's the split.
First, the words. TLS (older name: SSL) is the protocol that secures a network connection. It does two separate jobs, and it helps to keep them apart:
- Encryption. Both sides agree on a shared secret key during a short setup called the handshake, then use it to scramble the traffic so nobody in between can read it.
- Identity. Each side can prove who it is with a certificate, a digital ID document signed by a Certificate Authority (CA), an issuer everyone agrees to trust.
The handshake in plain steps: the client says hello, the server sends its certificate, the client checks that a CA it trusts signed that certificate, both sides derive the same secret key without ever sending it across, and then the real, encrypted data flows.
Where people get lost is that identity needs three files, not one. They look alike and they are not:
| File | What it is | Secret? |
|---|---|---|
root_ca.pem | the trust anchor: proves the other side’s certificate is legit | no |
certificate.pem | your own public ID, signed by the CA | no |
private_key.pem | the matching secret that proves the ID is really yours (never sent) | yes |
Rule of thumb: you check the other side with root_ca, and you prove yourself with certificate plus private_key. (.pem is just a common text format for storing these.)
In this migration: the deploy puts exactly these three files next to pixel-service so it can speak TLS to the Kafka server on port 9093. Leaking private_key.pem would hand someone your identity, so the verify script deletes it on exit.
root_cachecks them.certificateplusprivate_keyproves you. Mix the roles up and nothing connects.
References
- https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/
- https://www.ssl.com/article/ssl-tls-handshake-ensuring-secure-online-interactions/
Related: these three files are what makes the Kafka client’s SSL config work, and the difference between showing one cert or two is one-way vs mutual TLS. Back to the overview: two SSLs behind one migration ticket.