I have an existing application that uses the org.restlet.engine.ssl.DefaultSslContextFactory and a keystore file that is loaded when the server is started. I have another application that creates certificates that have to be added dynamically to the keystore file while the server is running. To perform this, I created the certificate and the private key in the code and then write it to a directory. The directory is watched by a bash script that checks for new files, and if one appears it will be imported into the existing keystore file.
But when trying to access the server with the newly imported certificate the handshake fails. Only when restarting the server, the access can be completed successfully, which I assume means that the added certificate will not be reloaded by the server.
Is there a way to update the running application with the new entry in the keystore file?
2 Answers
Answers 1
Importing the new certificate into your keystore doesn't refresh your current SSLConext as nothing tells the JVM that the keystore has changed.
To do that you'll have to tell your application that a new certificate was added into your keystore but instead of reloading the keystore -as far as I know it shouldn't be possible- , what is possible by the way is that your can add the new certificate into your current SSLContext See here.
To achieve that, you've to provide a bean aware of the new certificate -maybe the component that call your bash script- in which you injected an SSLContext instance.
It's also interesting if you split your application using a micro service architecture, delegate to one module the fact to deal with certificates and reload it (using proper configure LB) as keystore is updated.
Answers 2
Since this seems to be quite an impossible task to accomplish, I decided to do a workaround. I used nginx as a proxy in front of the application. Nginx is able to perform client authentication with multiple CA root certificates which is exactly what I need. The connection between the application and nginx can simply be done via a HTTP since they are residing on the same host (just different ports).
0 comments:
Post a Comment