Support multiple PEM encoded certificates #38754
Comments
spring-projects-issues
added
the
status: waiting-for-triage
|
There might be some overlap here with #38242 where we are looking to support directory glob patterns. If the order of the certificates isn't important we might be able to support something like this: spring:
ssl:
bundle:
pem:
client:
truststore:
certificate: "/my/certs/allowed-*.crt"
select: all |
philwebb
added
type: enhancement
philwebb
added
the
for: team-meeting
philwebb
added
the
status: pending-design-work
|
I hadn't seen #38242. Indeed, it fills almost the same need. It's nice in that the properties are backwards compatible and makes it easy to have large numbers of certificates. Here's a use case that I don't think is easily covered by #38242. A Spring Boot app deployed in Kubernetes. It calls an external service for which some instances are hosted in the same cluster, some instances are scaled out to an external provider. The internal instances are exposed using the Kubernetes CA, the other instances use some other CA. Kubernetes bind mounts the CA at a fixed location inside the pod spring:
ssl:
bundle:
pem:
client:
truststore:
certificates:
- "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
- "classpath:other-ca.crt"IMO, me both #38754 and this are good enhancements. |
philwebb
removed
the
for: team-meeting
|
Add to this ticket about a similar but not same use case: to allow multiple certs from a folder for different hostnames. This may open the possibility to support one Spring Boot application serving traffic for multiple domains. Underlying TomCat 8.5 already "allows multiple certificates with different names to be associated with a single TLS connector" (link). |
|
@dopsun Spring Boot 3.3 added support for configuring SSL bundles for hostnames (SNI). Does this meet your requirement? |
|
@scottfrederick Thanks for sharing this, I have not been aware of this feature yet. A quick look at the link you shared, it seems what I'm waiting for. Will try it out ASAP. |
|
I also need to be able to add multiple PEM format certificates to the truststore. Being able to add them in with wildcard or by name would be very helpful. Having it be limited per hostname is not useful in my case and, my case would be covered by the other two options. I can see how mapping certs to specific hostnames is a good and useful config in other situations. |
That's a great idea. I'd also like to add a little bit of salt here. With k8s you should be able to mount the volumes as optional: apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
containers:
- name: mypod
image: myimage
volumeMounts:
- name: foo-ca
mountPath: /var/run/secrets/foo/ca.crt
- name: bar-ca
mountPath: /var/run/secrets/bar/ca.crt
volumes:
- name: foo-ca
secret:
secretName: foo-ca
optional: true
- name: bar-ca
secret:
secretName: bar-ca
optional: trueIn this scenario, there should be a way to flag the SSLBundle API that the CA is optional, and when not available it should still attempt to load the other CAs and not prevent the service from starting. For supporting this feature we can extend your proposal with something like:
|
|
Regarding my comment above, we currently have an in-house component for supporting this and we are willing to contribute if thats acceptable from spring team side. Please let me know your views on this so we can start. |
**Problem Statement** The challenge is the dynamic updating and management of certificates in an application that supports mTLS and interacts with client services that are frequently added and removed. Suppose your application needs to support mTLS with two well-known client services, `foo` and `bar`, each having a specific intermediate CA (Certificate Authority). Client services are dynamically installed/removed from the cluster. For improved resiliency/manageability, you do not want to change the deployment of your application whenever a new client service is installed in the cluster: the client CAs must be dynamically added/removed to your server truststore as their services installed/removed from the cluster. **Proposed Solution** This PR aims to address this issue by allowing certificates to be marked as optional. With this feature, the application can start and continue running regardless of the availability of these certificates. **Current Status** This pull request is currently a draft/proof of concept. It does not yet include tests or documentation and is intended to gather feedback. The implementation includes several TODOs, such as: - Extending optionality to the private key (only added to the certificate). - Adding necessary validations. An example of `application.yaml` with optionality would look like: ``` spring.ssl.bundle.pem.server.keystore.certificate=/var/run/secrets/foo/server.crt spring.ssl.bundle.pem.server.keystore.private-key=/var/run/secrets/foo/server.key spring.ssl.bundle.pem.server.keystore.private-key-password=123456 spring.ssl.bundle.pem.server.reload-on-update=true spring.ssl.bundle.pem.server.truststore.certificate=optional:/var/run/secrets/foo/ca.crt ``` **Related Issue** This PR is related to a comment is this issue [spring-projects#38754](spring-projects#38754 (comment))
mhalbritter
changed the title
At the moment, PEM
SslBundles can be instantiated through the following properties:Where
client.crtcan contain multiple certificates.In some situations, multiple very different certificates need to be trusted. For instance:
While concatenating all the trusted certificates in the same file is an option, it makes it quite hard to see at a glance which certificates are trusted, as they are PEM-encoded.
It would be nice to be able to use file names to identify the certificates:
The text was updated successfully, but these errors were encountered: