Configuring Telegraf Kafka output SSL

Hi there, I’m couple of days new to TICK stack and love the experience playing around. Thanks for the awesome stack.
I’m trying to configure TSL for Telegraf Kafka client for both inputs and outputs.

I have generated certificates for Kafka and these are the steps:

#Step 1
keytool -keystore server.keystore.jks -alias localhost -validity 365 -genkey

#Step 2
openssl req -new -x509 -keyout ca-key -out ca-cert -days 365
keytool -keystore server.truststore.jks -alias CARoot -import -file ca-cert
keytool -keystore client.truststore.jks -alias CARoot -import -file ca-cert

#Step 3
keytool -keystore server.keystore.jks -alias localhost -certreq -file cert-file
openssl x509 -req -CA ca-cert -CAkey ca-key -in cert-file -out cert-signed -days 365 -CAcreateserial -passin pass:test1234
keytool -keystore server.keystore.jks -alias CARoot -import -file ca-cert
keytool -keystore server.keystore.jks -alias localhost -import -file cert-signed

keytool -importkeystore -srckeystore server.truststore.jks -destkeystore server.p12 -deststoretype PKCS12
openssl pkcs12 -in server.p12 -nokeys -out server.cer.pem

keytool -importkeystore -srckeystore server.keystore.jks -destkeystore client.p12 -deststoretype PKCS12
openssl pkcs12 -in client.p12 -nokeys -out client.cer.pem
openssl pkcs12 -in client.p12 -nodes -nocerts -out client.key.pem

I’m successfully using .jks for java clients.

Configured in outputs.Kafka

tsl_ca = “client.cer.pem”
tsl_cert = “server.cer.pem”
tsl_key = “client.key.pem”
insecure_skip_verify = true

which is not working.
On Telegraf restart, this is the error:
E! [agent] Failed to connect to output kafka, retrying in 15s, error was ‘could not load keypair server.cer.pem:/client.key.pem: tls: failed to parse private key’

What is happening? Can some one help? thanks

One thing I noticed is that you have your certs backwards. Kafka outputs with telegraf.conf should be:

tls_ca = "server.cer.pem"
tls_cert = "client.cer.pem"
tls_key = "client.key.pem"

I do have similar issue.
I have the root CAs published by AWS for tls_ca and have used AWS ACM_PCA signed client cert.pem and client privatekey.pem.

tls_ca = “AWSpublicCAroot.pem”
tls_cert = “signed-pca-cert.pem”
tls_key = “client-private-key.pem”

Error I get
2021-05-26T15:45:05Z E! [telegraf] Error running agent: could not initialize input inputs.kafka_consumer: could not load keypair /etc/telegraf/signed-pca-cert.pem:/etc/telegraf/client-private-key.pem: tls: failed to parse private key

But I do have generated my signed cert and key with a client password.
So is there way to set client password for TLS_config for properly loading the client key and parse it.