Can we avoid spring boot application restart, to refresh the certificates associated with its embedded tomcat container?

With any change to the SSL certificates (in its keystore), we need to restart the spring boot application. I want to update my key store entry periodically (may be every year), but want to avoid restarting the JVM. What would it take to achieve it. I wonder if writing custom KeyManager is an acceptable practice?


  • Unfortunately, this is not possible.


    You have several solutions here.

    Reload Tomcat connector (a bit hacky)

    You can restart Tomcat connector i.e. restart 8843 is possible after you change your jssecacert file.

    But I think that it is still a hack.

    Reverse proxy: Nginx, Apache

    This is a way to go. Your application should be behind some reverse proxy (e.g. nginx). This will give you an additional flexibility and reduce load on your app. Nginx will handle https and translate it to plain http. Anyway, you'll have to restart nginx, but nginx restart is so fast that it will be no downtime. Moreover, you could configure script to do this for you.