Right now, the client requires that the truststore for the HTTPS communication between the OAuth client (both in broker and in Kafka client) and the OAuth server is passed as JKS or PKCS12 formats. But in many cases, you have the certificate only in the PEM format. So you need to convert it first for example using Java keytool or OpenSSL.