Skip to content

Support multiple PEM encoded certificates #38754

New issue
New issue
Open
Open
Support multiple PEM encoded certificates#38754
Assignees
mhalbritter
Labels
status: pending-design-workNeeds design work before any code can be developedtheme: sslIssues related to ssl supporttype: enhancementA general enhancement
Milestone
3.x
@bgK

Description

@bgK
bgK
opened on Dec 12, 2023

At the moment, PEM SslBundles can be instantiated through the following properties:

spring:
  ssl:
    bundle:
      pem:
        client:
          truststore:
            certificate: "classpath:client.crt"

Where client.crt can contain multiple certificates.

In some situations, multiple very different certificates need to be trusted. For instance:

  • An external service changes the CA it uses to sign the certificate it exposes. Both the old one and the new one need to be trusted on the client side to avoid downtime.
  • When exposing a service with mutual authentication enabled, and when the corporate CA is re-used for multiple systems, it can be somewhat easy to obtain a keypair for a given FQDN. Trusting the CA is not an option, the trust store must contain all the allowed certificates.

While concatenating all the trusted certificates in the same file is an option, it makes it quite hard to see at a glance which certificates are trusted, as they are PEM-encoded.
It would be nice to be able to use file names to identify the certificates:

spring:
  ssl:
    bundle:
      pem:
        client:
          truststore:
            certificates:
            - "classpath:allowed-client1.crt"
            - "classpath:allowed-client2.crt"

Metadata

Metadata

Assignees

Labels

status: pending-design-workNeeds design work before any code can be developedtheme: sslIssues related to ssl supporttype: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions