As an organization (DevOps/Security/Vendor Manager) using Aiven Kafka,
we want to determine the last connected cert status of Kafka users,
so that we can know whether a kafka user certificate has been successfully updated.

We automate certificate rolling to an extent with terraform. Different teams of devs generally own their section of terraform creating Kafka users. As of right now every two years those certs expire, and clicking the "Yes I've updated" in the Aiven console just silences the alert, and provides no real time verification from the running kafka that a certificate has been updated.

This means a user with console access can accidentally or erroneously click that button that they've updated a kafka certificate without actually updating the certificate in staging/production, and no alert or reminder email will be sent, and the cert will expire, and the client will slowly start failing connections to partitions over days, costing thousands of dollars as the data transferal job fails but in a piecemeal way that wasn't easily detected by healthchecks.

The results are just some data isn't there, depending on partition key. Currently without scanning every certificate in use by every application this scenario is not detectable on our side, but may be very easily visible if you have access to the Kafka connection logs and use that to capture for the Console on which certificates are in use.