This is a must have for any SaaS in my opinion.

Cryptography configuration is too easy to get wrong to risk exposing oneself to security breaches by multiplying the necessary configuration to establish basic connectivity.

Productivity annoyances:
- low-value wiring code and configuration to account for the self-signed CA
- connectivity loss when configuration doesn't work, easily done with self-signed crypto
- need to account for provisionning, distributing and injecting the CA in all clients
- need to establish a provider specific procedure and support to roll certificates.

Risks:
- injecting custom CAs in a kubernetes context usually involves startup hooks that can fail and prevent the deployment of new software versions
- the self-signed CA is valid for 10 years and can sign TLS certificates for any domain name, exposing services trusting this CA durably to MITM attacks if the associated private key is compromised
- we see such a risks as less likely to happen with specialized industry actors.

Additionally, I believe it would also be in aiven's interest to offload the sensitive private key lifecycle, confidentiality and related incident management to a industry recognized and specialized actor.

This is a very important feature for us. Opening a ticket for requesting a public CA for each new Kafka cluster reduces the productivity of Data Engineers because they need to wait one day to use the Kafka cluster for their development.

This is necessary since integrating other cloud providers with Aiven fails since they don't trust internal CA used for SASL auth. I was confused this isn't already default since REST uses Letsencrypt.