DEV Community: Zem Dev The latest articles on DEV Community by Zem Dev (@zem_dev). https://dev.to/zem_dev https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3392144%2F2ee26375-b9c4-42ee-8daa-f9e20f9728f6.png DEV Community: Zem Dev https://dev.to/zem_dev en Dynamic SSL Configuration for Spring Boot Applications in AWS Zem Dev Sun, 27 Jul 2025 17:11:50 +0000 https://dev.to/zem_dev/dynamic-ssl-configuration-for-spring-boot-applications-in-aws-31eg https://dev.to/zem_dev/dynamic-ssl-configuration-for-spring-boot-applications-in-aws-31eg <p>In today's cloud-driven world, securing communication channels between services is crucial. For Spring Boot applications running on AWS, leveraging SSL with AWS Secrets Manager is an effective solution for managing sensitive keystore and truststore data. Below, we outline a method for dynamically configuring SSL in a Spring Boot application using AWS Secrets Manager.</p> <h2> Step 1: Generating SSL Certificates </h2> <p>Initially, you need to generate the required SSL certificates. The process involves creating a Certificate Authority (CA), a server private key, and a Certificate Signing Request (CSR). The server CSR is then signed with the CA to create a server certificate. These certificates are packaged into PKCS12 keystores and truststores, encoded in Base64, and stored in AWS Secrets Manager.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nb">set</span> <span class="nt">-e</span> <span class="c"># CONFIGURATION</span> <span class="nv">KEYSTORE_PASSWORD</span><span class="o">=</span><span class="s2">"changeit"</span> <span class="nv">TRUSTSTORE_PASSWORD</span><span class="o">=</span><span class="s2">"changeit"</span> <span class="nv">SECRET_NAME</span><span class="o">=</span><span class="s2">"secret-name-keystore"</span> <span class="nv">CA_ALIAS</span><span class="o">=</span><span class="s2">"my-internal-ca"</span> <span class="nv">SERVER_ALIAS</span><span class="o">=</span><span class="s2">"server"</span> <span class="nv">DNAME</span><span class="o">=</span><span class="s2">"/C=BR/ST=State/L=City/O=YourOrg/OU=YourUnit/CN=localhost"</span> <span class="nv">CA_DNAME</span><span class="o">=</span><span class="s2">"/C=BR/ST=State/L=City/O=YourOrg/OU=YourUnit/CN=YourCA"</span> <span class="nv">HOSTNAME</span><span class="o">=</span><span class="s2">"localhost"</span> <span class="nv">JAVA_CACERTS</span><span class="o">=</span><span class="s2">"</span><span class="nv">$JAVA_HOME</span><span class="s2">/lib/security/cacerts"</span> <span class="nv">JAVA_CACERTS_PASS</span><span class="o">=</span><span class="s2">"changeit"</span> <span class="c"># Generate CA</span> openssl genrsa <span class="nt">-out</span> ca.key 2048 openssl req <span class="nt">-x509</span> <span class="nt">-new</span> <span class="nt">-nodes</span> <span class="nt">-key</span> ca.key <span class="nt">-sha256</span> <span class="nt">-days</span> 3650 <span class="nt">-out</span> ca.crt <span class="se">\</span> <span class="nt">-subj</span> <span class="s2">"</span><span class="nv">$CA_DNAME</span><span class="s2">"</span> <span class="c"># Generate server private key and CSR</span> openssl req <span class="nt">-new</span> <span class="nt">-newkey</span> rsa:2048 <span class="nt">-nodes</span> <span class="nt">-keyout</span> server.key <span class="nt">-out</span> server.csr <span class="se">\</span> <span class="nt">-subj</span> <span class="s2">"</span><span class="nv">$DNAME</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-addext</span> <span class="s2">"subjectAltName=DNS:</span><span class="nv">$HOSTNAME</span><span class="s2">"</span> <span class="c"># Sign server CSR with CA</span> openssl x509 <span class="nt">-req</span> <span class="nt">-in</span> server.csr <span class="nt">-CA</span> ca.crt <span class="nt">-CAkey</span> ca.key <span class="nt">-CAcreateserial</span> <span class="se">\</span> <span class="nt">-out</span> server.crt <span class="nt">-days</span> 3650 <span class="nt">-sha256</span> <span class="nt">-extfile</span> &lt;<span class="o">(</span><span class="nb">printf</span> <span class="s2">"subjectAltName=DNS:</span><span class="nv">$HOSTNAME</span><span class="s2">"</span><span class="o">)</span> <span class="c"># Create PKCS12 keystore</span> openssl pkcs12 <span class="nt">-export</span> <span class="nt">-in</span> server.crt <span class="nt">-inkey</span> server.key <span class="nt">-certfile</span> ca.crt <span class="se">\</span> <span class="nt">-out</span> keystore.p12 <span class="nt">-name</span> <span class="nv">$SERVER_ALIAS</span> <span class="nt">-passout</span> pass:<span class="nv">$KEYSTORE_PASSWORD</span> <span class="c"># Create combined truststore (default JVM CAs + your CA)</span> <span class="nb">cp</span> <span class="nv">$JAVA_CACERTS</span> combined-truststore.p12 keytool <span class="nt">-importcert</span> <span class="nt">-file</span> ca.crt <span class="nt">-keystore</span> combined-truststore.p12 <span class="se">\</span> <span class="nt">-storetype</span> PKCS12 <span class="nt">-alias</span> <span class="nv">$CA_ALIAS</span> <span class="nt">-storepass</span> <span class="nv">$JAVA_CACERTS_PASS</span> <span class="nt">-noprompt</span> <span class="k">if</span> <span class="o">[</span> <span class="s2">"</span><span class="nv">$TRUSTSTORE_PASSWORD</span><span class="s2">"</span> <span class="o">!=</span> <span class="s2">"</span><span class="nv">$JAVA_CACERTS_PASS</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span>keytool <span class="nt">-storepasswd</span> <span class="nt">-new</span> <span class="nv">$TRUSTSTORE_PASSWORD</span> <span class="nt">-keystore</span> combined-truststore.p12 <span class="se">\</span> <span class="nt">-storetype</span> PKCS12 <span class="nt">-storepass</span> <span class="nv">$JAVA_CACERTS_PASS</span> <span class="k">fi</span> <span class="c"># Base64 encode keystore and truststore</span> <span class="nb">base64</span> <span class="nt">-w</span> 0 keystore.p12 <span class="o">&gt;</span> keystore.p12.b64 <span class="nb">base64</span> <span class="nt">-w</span> 0 combined-truststore.p12 <span class="o">&gt;</span> truststore.p12.b64 <span class="c"># Generate secret.json</span> <span class="nb">cat</span> <span class="o">&gt;</span> secret.json <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> { "keystore": "</span><span class="si">$(</span><span class="nb">cat </span>keystore.p12.b64<span class="si">)</span><span class="sh">", "keystorePassword": "</span><span class="nv">$KEYSTORE_PASSWORD</span><span class="sh">", "keystoreType": "PKCS12", "truststore": "</span><span class="si">$(</span><span class="nb">cat </span>truststore.p12.b64<span class="si">)</span><span class="sh">", "truststorePassword": "</span><span class="nv">$TRUSTSTORE_PASSWORD</span><span class="sh">", "truststoreType": "PKCS12" } </span><span class="no">EOF </span><span class="c"># Set secret in AWS</span> aws secretsmanager create-secret <span class="nt">--name</span> <span class="s2">"</span><span class="nv">$SECRET_NAME</span><span class="s2">"</span> <span class="nt">--secret-string</span> file://secret.json <span class="o">||</span> <span class="se">\</span> aws secretsmanager update-secret <span class="nt">--secret-id</span> <span class="s2">"</span><span class="nv">$SECRET_NAME</span><span class="s2">"</span> <span class="nt">--secret-string</span> file://secret.json </code></pre> </div> <h2> Step 2: Spring Boot Configuration </h2> <p>Once the certificates are securely stored, the next step is to configure the Spring Boot application to fetch and apply these SSL settings dynamically. This is achieved through a custom <code>EnvironmentPostProcessor</code> that retrieves the keystore and truststore from AWS Secrets Manager.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="kn">import</span> <span class="nn">com.fasterxml.jackson.databind.JsonNode</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">com.fasterxml.jackson.databind.ObjectMapper</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.boot.SpringApplication</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.boot.env.EnvironmentPostProcessor</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.core.env.ConfigurableEnvironment</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">org.springframework.core.env.MapPropertySource</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">software.amazon.awssdk.services.secretsmanager.SecretsManagerClient</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">software.amazon.awssdk.services.secretsmanager.SecretsManagerClientBuilder</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.io.FileOutputStream</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.net.URI</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.nio.file.Files</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.nio.file.Path</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.Base64</span><span class="o">;</span> <span class="kn">import</span> <span class="nn">java.util.Map</span><span class="o">;</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">SslEnvironmentPostProcessor</span> <span class="kd">implements</span> <span class="nc">EnvironmentPostProcessor</span> <span class="o">{</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">postProcessEnvironment</span><span class="o">(</span><span class="nc">ConfigurableEnvironment</span> <span class="n">environment</span><span class="o">,</span> <span class="nc">SpringApplication</span> <span class="n">application</span><span class="o">)</span> <span class="o">{</span> <span class="k">try</span> <span class="o">{</span> <span class="k">if</span> <span class="o">(!</span><span class="n">environment</span><span class="o">.</span><span class="na">getProperty</span><span class="o">(</span><span class="s">"server.ssl.enabled"</span><span class="o">,</span> <span class="nc">Boolean</span><span class="o">.</span><span class="na">class</span><span class="o">,</span> <span class="kc">false</span><span class="o">))</span> <span class="o">{</span> <span class="k">return</span><span class="o">;</span> <span class="o">}</span> <span class="k">try</span> <span class="o">(</span><span class="nc">SecretsManagerClient</span> <span class="n">client</span> <span class="o">=</span> <span class="n">buildClient</span><span class="o">(</span><span class="n">environment</span><span class="o">))</span> <span class="o">{</span> <span class="nc">GetSecretValueRequest</span> <span class="n">request</span> <span class="o">=</span> <span class="nc">GetSecretValueRequest</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">secretId</span><span class="o">(</span><span class="s">"secret-name"</span><span class="o">)</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="nc">String</span> <span class="n">secret</span> <span class="o">=</span> <span class="n">client</span><span class="o">.</span><span class="na">getSecretValue</span><span class="o">(</span><span class="n">request</span><span class="o">).</span><span class="na">secretString</span><span class="o">();</span> <span class="nc">SslCerts</span> <span class="n">sslCerts</span> <span class="o">=</span> <span class="n">parseSecret</span><span class="o">(</span><span class="n">secret</span><span class="o">);</span> <span class="n">setProperties</span><span class="o">(</span><span class="n">environment</span><span class="o">,</span> <span class="n">sslCerts</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="k">catch</span> <span class="o">(</span><span class="nc">Exception</span> <span class="n">e</span><span class="o">)</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">RuntimeException</span><span class="o">(</span><span class="s">"Failed to load SSL properties from AWS Secrets Manager"</span><span class="o">,</span> <span class="n">e</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> <span class="kd">private</span> <span class="nc">SecretsManagerClient</span> <span class="nf">buildClient</span><span class="o">(</span><span class="nc">ConfigurableEnvironment</span> <span class="n">environment</span><span class="o">)</span> <span class="o">{</span> <span class="k">return</span> <span class="nc">SecretsManagerClient</span><span class="o">.</span><span class="na">builder</span><span class="o">()</span> <span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="kd">private</span> <span class="nc">SslSecrets</span> <span class="nf">parseSecret</span><span class="o">(</span><span class="nc">String</span> <span class="n">secret</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="nc">ObjectMapper</span> <span class="n">mapper</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ObjectMapper</span><span class="o">();</span> <span class="nc">JsonNode</span> <span class="n">secretJson</span> <span class="o">=</span> <span class="n">mapper</span><span class="o">.</span><span class="na">readTree</span><span class="o">(</span><span class="n">secret</span><span class="o">);</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">SslCerts</span><span class="o">(</span> <span class="n">secretJson</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"keystore"</span><span class="o">).</span><span class="na">asText</span><span class="o">(),</span> <span class="n">secretJson</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"keystorePassword"</span><span class="o">).</span><span class="na">asText</span><span class="o">(),</span> <span class="n">secretJson</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"keystoreType"</span><span class="o">).</span><span class="na">asText</span><span class="o">(),</span> <span class="n">secretJson</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"truststore"</span><span class="o">).</span><span class="na">asText</span><span class="o">(),</span> <span class="n">secretJson</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"truststorePassword"</span><span class="o">).</span><span class="na">asText</span><span class="o">(),</span> <span class="n">secretJson</span><span class="o">.</span><span class="na">get</span><span class="o">(</span><span class="s">"truststoreType"</span><span class="o">).</span><span class="na">asText</span><span class="o">()</span> <span class="o">);</span> <span class="o">}</span> <span class="kd">private</span> <span class="nc">Path</span> <span class="nf">writeTempFile</span><span class="o">(</span><span class="nc">String</span> <span class="n">encodedContent</span><span class="o">,</span> <span class="nc">String</span> <span class="n">fileName</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="kt">byte</span><span class="o">[]</span> <span class="n">bytes</span> <span class="o">=</span> <span class="nc">Base64</span><span class="o">.</span><span class="na">getDecoder</span><span class="o">().</span><span class="na">decode</span><span class="o">(</span><span class="n">encodedContent</span><span class="o">);</span> <span class="nc">Path</span> <span class="n">tempFile</span> <span class="o">=</span> <span class="nc">Files</span><span class="o">.</span><span class="na">createTempFile</span><span class="o">(</span><span class="n">fileName</span><span class="o">,</span> <span class="s">".p12"</span><span class="o">);</span> <span class="k">try</span> <span class="o">(</span><span class="nc">FileOutputStream</span> <span class="n">fos</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">FileOutputStream</span><span class="o">(</span><span class="n">tempFile</span><span class="o">.</span><span class="na">toFile</span><span class="o">()))</span> <span class="o">{</span> <span class="n">fos</span><span class="o">.</span><span class="na">write</span><span class="o">(</span><span class="n">bytes</span><span class="o">);</span> <span class="o">}</span> <span class="n">tempFile</span><span class="o">.</span><span class="na">toFile</span><span class="o">().</span><span class="na">deleteOnExit</span><span class="o">();</span> <span class="k">return</span> <span class="n">tempFile</span><span class="o">;</span> <span class="o">}</span> <span class="kd">private</span> <span class="kt">void</span> <span class="nf">setProperties</span><span class="o">(</span><span class="nc">ConfigurableEnvironment</span> <span class="n">environment</span><span class="o">,</span> <span class="nc">SslCerts</span> <span class="n">sslCerts</span><span class="o">)</span> <span class="o">{</span> <span class="nc">Path</span> <span class="n">keystore</span> <span class="o">=</span> <span class="n">writeTempFile</span><span class="o">(</span><span class="n">sslCerts</span><span class="o">.</span><span class="na">keystore</span><span class="o">,</span> <span class="s">"keystore"</span><span class="o">);</span> <span class="nc">Path</span> <span class="n">truststore</span> <span class="o">=</span> <span class="n">writeTempFile</span><span class="o">(</span><span class="n">sslCerts</span><span class="o">.</span><span class="na">truststore</span><span class="o">,</span> <span class="s">"truststore"</span><span class="o">);</span> <span class="nc">Map</span><span class="o">&lt;</span><span class="nc">String</span><span class="o">,</span> <span class="nc">Object</span><span class="o">&gt;</span> <span class="n">sslProps</span> <span class="o">=</span> <span class="nc">Map</span><span class="o">.</span><span class="na">of</span><span class="o">(</span> <span class="s">"server.ssl.key-store"</span><span class="o">,</span> <span class="n">keystore</span><span class="o">.</span><span class="na">toAbsolutePath</span><span class="o">().</span><span class="na">toString</span><span class="o">(),</span> <span class="s">"server.ssl.key-store-password"</span><span class="o">,</span> <span class="n">sslCerts</span><span class="o">.</span><span class="na">keystorePassword</span><span class="o">(),</span> <span class="s">"server.ssl.key-store-type"</span><span class="o">,</span> <span class="n">sslCerts</span><span class="o">.</span><span class="na">keystoreType</span><span class="o">(),</span> <span class="s">"server.ssl.trust-store"</span><span class="o">,</span> <span class="n">truststore</span><span class="o">.</span><span class="na">toAbsolutePath</span><span class="o">().</span><span class="na">toString</span><span class="o">(),</span> <span class="s">"server.ssl.trust-store-password"</span><span class="o">,</span> <span class="n">sslCerts</span><span class="o">.</span><span class="na">truststorePassword</span><span class="o">(),</span> <span class="s">"server.ssl.trust-store-type"</span><span class="o">,</span> <span class="n">sslCerts</span><span class="o">.</span><span class="na">truststoreType</span><span class="o">()</span> <span class="o">);</span> <span class="n">environment</span><span class="o">.</span><span class="na">getPropertySources</span><span class="o">().</span><span class="na">addFirst</span><span class="o">(</span><span class="k">new</span> <span class="nc">MapPropertySource</span><span class="o">(</span><span class="s">"aws-ssl"</span><span class="o">,</span> <span class="n">sslProps</span><span class="o">));</span> <span class="nc">System</span><span class="o">.</span><span class="na">setProperty</span><span class="o">(</span><span class="s">"javax.net.ssl.trustStore"</span><span class="o">,</span> <span class="n">truststore</span><span class="o">.</span><span class="na">toAbsolutePath</span><span class="o">().</span><span class="na">toString</span><span class="o">());</span> <span class="nc">System</span><span class="o">.</span><span class="na">setProperty</span><span class="o">(</span><span class="s">"javax.net.ssl.trustStorePassword"</span><span class="o">,</span> <span class="n">sslCerts</span><span class="o">.</span><span class="na">truststorePassword</span><span class="o">());</span> <span class="nc">System</span><span class="o">.</span><span class="na">setProperty</span><span class="o">(</span><span class="s">"javax.net.ssl.trustStoreType"</span><span class="o">,</span> <span class="n">sslCerts</span><span class="o">.</span><span class="na">truststoreType</span><span class="o">());</span> <span class="o">}</span> <span class="kd">private</span> <span class="n">record</span> <span class="nf">SslCerts</span><span class="o">(</span> <span class="nc">String</span> <span class="n">keystore</span><span class="o">,</span> <span class="nc">String</span> <span class="n">keystorePassword</span><span class="o">,</span> <span class="nc">String</span> <span class="n">keystoreType</span><span class="o">,</span> <span class="nc">String</span> <span class="n">truststore</span><span class="o">,</span> <span class="nc">String</span> <span class="n">truststorePassword</span><span class="o">,</span> <span class="nc">String</span> <span class="n">truststoreType</span><span class="o">)</span> <span class="o">{</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Upon startup, if SSL is enabled, the Spring Boot application dynamically retrieves the necessary secret from AWS Secrets Manager. This secret contains the encoded keystore and truststore data, which are then decoded and saved to temporary files. These files are automatically configured with the appropriate SSL properties, enabling secure communication for the application. This seamless integration ensures that sensitive SSL configurations are managed securely and efficiently, leveraging the power of AWS Secrets Manager to dynamically adapt the application's environment. It is only required that the user set the property <code>server.ssl.enabled</code> to <code>true</code>, and the code will handle the configuration of the SSL certificates.</p> <p>By following these steps, you can ensure secure communication for your Spring Boot applications running in an AWS environment, leveraging the power of AWS Secrets Manager for dynamic SSL configuration.</p> <h2> Benefits of this Approach </h2> <p>• <strong>Enhanced Security</strong>: Sensitive SSL credentials (keystore and truststore) are not directly embedded in the application code or configuration files, but are securely managed by AWS Secrets Manager.<br> • <strong>Dynamic Configuration</strong>: The application fetches and applies SSL settings at runtime, allowing for certificate updates without requiring application redeployment. This ensures that sensitive SSL configurations are managed securely and efficiently, leveraging the power of AWS Secrets Manager to dynamically adapt the application's environment.<br> • <strong>Developer Simplification</strong>: Once the solution is implemented, the user only needs to set the <code>server.ssl.enabled</code> property to <code>true</code>, and the SSL certificate configuration is automatically handled by the custom EnvironmentPostProcessor.<br> • <strong>Seamless Integration</strong>: The solution integrates fluidly with the AWS ecosystem, leveraging native cloud services.</p> springboot aws softwaredevelopment