A server configured with ssl has a key material and trust material. These materials are generated from a keypair and certificate which always have an expiration date. In a traditional server configuration a reboot of the server is required to apply the latest key material and trust material changes when the keystore and truststore are changed. A downtime is therefore unavoidable. This project demonstrates with a basic setup how update the server certificate from an external source without the need of restarting your server. In this way you can achieve zero downtime.
The repository contains:
- Server, based on Spring Boot with Tomcat as a server engine
The server has two ways to update the existing ssl material:
-
File based aka file change listener, see here for the implementation: FilesBasedSslUpdateService
-
REST, This option is hosted in a separate module within this repository, see here: AdminController
-
Databased based, aka database change listener. This option is hosted in a separate module within this repository, see here: Instant SSL Reloading With Database
- Java 21
- Terminal
mvn spring-boot:run
Visit the server with the following url on your browser: https://localhost:8443/api/hello Open the certificate details in your browser by clicking on the lock logo (on Chrome). You will see a similar certificate detail as shown below:
Please note down the expiration date. Afterwords you will compare it when you have run the admin application.
The file based ssl update service will listen to changes on a specific file on the file system. Adjust the path to your identity and truststore within FilesBasedSslUpdateService.
private static final Path identityPath = Path.of("/path/to/your/identity.jks");
private static final Path trustStorePath = Path.of("/path/to/your/truststore.jks");Also change the passwords if it is different.
private static final char[] identityPassword = "secret".toCharArray();
private static final char[] trustStorePassword = "secret".toCharArray();Adjust the content of the identity and truststore and after 10 seonds the cron job will be triggered to validate if the content has been changed, and it will update the ssl configuration if there are any changes on it.
Refresh your browser tab and open the certificate details again and compare the expiration date with the one you have noted down. You should have a similar certificate detail as shown below:
