We currently support dynamic update of server-side keystores. This allows expired certs to be updated on brokers without a rolling restart. When mutual authentication is enabled for inter-broker-communication (ssl.client.auth=required), we dont currently dynamically update client-side keystores for controller or transaction coordinator. So a broker restart (or controller change) is required for cert update for this case. Since short-lived SSL cert is a common usecase, we should enable client-side cert updates for all client connections initiated by the broker to ensure that SSL certificate expiry can be handled with dynamic config updates on brokers for all configurations.