SslBundle - Allow loading PEM encoded trusted certificates from multiple files

[bgK]

At the moment, PEM SslBundles can be instantiated through the following properties:

spring:
  ssl:
    bundle:
      pem:
        client:
          truststore:
            certificate: "classpath:client.crt"

Where client.crt can contain multiple certificates.

In some situations, multiple very different certificates need to be trusted. For instance:

• An external service changes the CA it uses to sign the certificate it exposes. Both the old one and the new one need to be trusted on the client side to avoid downtime.
• When exposing a service with mutual authentication enabled, and when the corporate CA is re-used for multiple systems, it can be somewhat easy to obtain a keypair for a given FQDN. Trusting the CA is not an option, the trust store must contain all the allowed certificates.

While concatenating all the trusted certificates in the same file is an option, it makes it quite hard to see at a glance which certificates are trusted, as they are PEM-encoded. It would be nice to be able to use file names to identify the certificates:

spring:
  ssl:
    bundle:
      pem:
        client:
          truststore:
            certificates:
            - "classpath:allowed-client1.crt"
            - "classpath:allowed-client2.crt"

[philwebb]

There might be some overlap here with #38242 where we are looking to support directory glob patterns. If the order of the certificates isn't important we might be able to support something like this:

spring:
  ssl:
    bundle:
      pem:
        client:
          truststore:
            certificate: "/my/certs/allowed-*.crt"
            select: all

[bgK]

I hadn't seen #38242. Indeed, it fills almost the same need. It's nice in that the properties are backwards compatible and makes it easy to have large numbers of certificates.

Here's a use case that I don't think is easily covered by #38242. A Spring Boot app deployed in Kubernetes. It calls an external service for which some instances are hosted in the same cluster, some instances are scaled out to an external provider. The internal instances are exposed using the Kubernetes CA, the other instances use some other CA. Kubernetes bind mounts the CA at a fixed location inside the pod /var/run/secrets/kubernetes.io/serviceaccount/ca.crt:

spring:
  ssl:
    bundle:
      pem:
        client:
          truststore:
            certificates:
            - "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
            - "classpath:other-ca.crt"

IMO, me both #38754 and this are good enhancements.

[dopsun]

Add to this ticket about a similar but not same use case:

to allow multiple certs from a folder for different hostnames. This may open the possibility to support one Spring Boot application serving traffic for multiple domains.

Underlying TomCat 8.5 already "allows multiple certificates with different names to be associated with a single TLS connector" (link).

[scottfrederick]

@dopsun Spring Boot 3.3 added support for configuring SSL bundles for hostnames (SNI). Does this meet your requirement?

[dopsun]

@scottfrederick Thanks for sharing this, I have not been aware of this feature yet. A quick look at the link you shared, it seems what I'm waiting for. Will try it out ASAP.

[quarky42]

I also need to be able to add multiple PEM format certificates to the truststore. Being able to add them in with wildcard or by name would be very helpful.

Having it be limited per hostname is not useful in my case and, my case would be covered by the other two options. I can see how mapping certs to specific hostnames is a good and useful config in other situations.