The instructions to connect to an Azure Event Grid MQTT broker using an MQTT client such as MQTTX here say to configure a "Client Certificate File" and a "Client key file", but the "CA file" is left blank. My understanding is that in this case the OS trusted root CAs will be used to validate the server's certificate.

When trying to connect the MQTT sink connector to Azure Event Grid and setting the connect.mqtt.ssl.cert and connect.mqtt.ssl.key properties, but leaving connect.mqtt.ssl.ca.cert unset, the following exception is logged:

org.apache.kafka.common.config.ConfigException: You can't define one of the connect.mqtt.ssl.ca.cert,connect.mqtt.ssl.cert, connect.mqtt.ssl.key without the other

Eventually the issue was worked around by determining the root CA certificate that is used by Azure Event Grid (a DigiCert CA certificate) and configuring the connect.mqtt.ssl.ca.cert property.

However, it seems like the MQTT connector should support having connect.mqtt.ssl.ca.cert unset even when connect.mqtt.ssl.cert and connect.mqtt.ssl.key are set. In this case it should use the trusted CA certificates from the OS to validate the server certificate.