Log common name of expired client certificate

If a client tries to authenticate via mTLS with an expired certificate, the connection is closed and the IP address of the connection attempt is logged. However, in complex enterprise IT environments it might be very hard or even impossible to identify which client tried to connect if only the IP address is known (e.g. due to complex virtualization/containerization/NAT). This results in significant effort for the Kafka platform teams to identify the developmers responsible for such a misconfigured client.

As a possible solution I propose to log the common name used in the client certificate in addition to the IP address. Due to security considerations, this should only be done if that certificate is just expired and would be valid otherwise (e.g. signed by a known, non-expired root/intermediate CA). The way Kafka should handle any valid/invalid/expired certificate must be exactly the same as before, except for the creation of a log message in case it is expired.