Search code examples
tomcatssl-certificate

How to make tomcat to pick new certificates without restarting it

We have web application where SSL certificate gets expired every 100 days and renewed automatically. We have to restart server whenever it happens to pick the newly renewed certificate. Is there any way tomcat java process can automatically pick up the new certificates whenever certificate get renewed. We have thousands of machines in our cluster.

Solution

  • If u have embeded tomcat then u can use tomcat api to reload all certificate. Check : How do I force tomcat to reload trusted certificates? The easiest way is read the keystore programmatically, get a SSL context from that and use it to make connection.

    private SSLContext buildSslSocketContext() {

        logger.info("Started checking for certificates and if it finds the certificates will be loaded…..");

        String keyStoreLoc = //KEYSTORE LOCATION;
        String password = //KEYSTORE_PASSWORD;
        SSLContext context = null;
        
        try {
            // Create a KeyStore containing our trusted CAs
            KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
            InputStream in = null;

            try {
                in = new FileInputStream(keyStoreLoc);
                keystore.load(in,password.toCharArray());
            }catch(Exception e) {
                logger.error("Unable to load keystore "+e.getMessage());
            }finally {
                if(in != null) {
                    in.close(); 
                }               
            }

            // Create a TrustManager that trusts the CAs in our KeyStore
            String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
            TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
            tmf.init(keystore);

            // Create an SSLContext that uses our TrustManager
            context = SSLContext.getInstance("TLS");
            context.init(null, tmf.getTrustManagers(), null);
            logger.info("Completed loading of certificates.");

        } catch (Exception e) {
            logger.error("unable to create ssl context "+e.getMessage());
        }
        return context;
    } 

    ClientBuilder clientBuilder =  null;

        try {
            SSLContext sslContext = buildSslSocketContext();
            clientBuilder = ClientBuilder.newBuilder();
            if (sslContext != null) {
                clientBuilder.sslContext(sslContext);
            } else {
                logger.info("SSL conext is missing");
            }
            client = clientBuilder.build(); //use this client to make  http connection
        }catch(Exception e) {
            logger.error("unable to get ssl conext for client :"+e.getMessage());
        }