Configure additional truststore in Spring Boot Tomcat Server

Question

I have a spring boot client application and a server application. I am implementing MTLS client authentication part. I have a client certificate that is self signed and this needs to be added to a custom truststore in the server. Basically I am looking for a mechanism to add my custom truststore at runtime.

I want the default truststore and the custom truststore to be picked up. I implemented this using TomcatServletWebServerFactory but I did not have any luck. Can someone please help. I am looking for a programmatic solution.

I do not want to change the default java truststore. I still need that.

Answer 1

Since you do not want to replace the existing truststore with your custom one (that could be done by running the JVM with a few system properties) you need to add code that trusts a peer if the builtin or a custom trusttore approve the client.

For this you need to create and install your own Trustmanager. See an example here: https://community.oracle.com/tech/developers/discussion/1535342/java-ssl-trustmanager

If the checkClientTrusted and checkServerTrusted methods do not raise an exception the certificate is approved. Leaving the methods empty would even turn off any certificate validation - not to be recommended.

Answer 2

In order to establish a SSL connection with client certificates between a Spring client application and a Spring server application, there are a few things to note:

Involved Trust Stores

There are two very different trust stores relevant in this context:

1. The trust store used by the client to determine whether it can trust the server's SSL certificate. When using the java.net package for client requests, the trust store is configured via the JVM property "javax.net.ssl.trustStore" - see e.g. https://docs.oracle.com/javadb/10.8.3.0/adminguide/cadminsslclient.html

2. The trust store used by Tomcat (the underlying servlet container used by Spring Boot in its default configuration) to determine whether it shall trust a client. This is configured via the spring application property "server.ssl.trust-store" - see https://docs.spring.io/spring-boot/docs/current/reference/html/application-properties.html#application-properties.server.server.ssl.trust-store

In the context of a Spring server application the first one is relevant for connections which the server makes to a second server - so only when the server acts as client as well - e.g. when acting as a proxy server.

The second trust store is relevant for connections between the server and its clients. This is the one you need to deal with.

Certificates in the Tomcat Trust Store

The trust store which is used by Tomcat does NOT contain the client certificates. Instead, it must contain the certificate of the Certificate Authority who has signed the client certificate. So when using self-signed certificates, you need to install the CA certificate which you have generated on your own.

The big advantage of this is, that you do not need to change the server trust store, when you grant access to new clients.

The downside is, that you have to handle a certificate revocation. The CRL (certificate revocation list) is also stored in the trust store. See:

CRL Explained: What Is a Certificate Revocation List?

Merging the Default Trust Store and the Custom Trust Store

As now should be clear, this is not a good idea and would constitute a major security flaw, as it would allow any client which has a certificate signed by a CA in the default trust store (which can be easily obtained) to connect to the server. The server trust store must only contain those certificates which you use to sign your client certificates!

And there is no need to merge the two, as this are totally separate trust stores with totally different functions.

But, of course it is technically feasible to merge trust stores. This can all be done by keytool - see below.

Managing Trust Stores

Adding, deleting, exporting, listing, and printing certificates and CRLs can all be done via the Oracle command line tool "keytool", which is part of the OpenJDK. See

keytool Reference