Skip to content

Show certificates from truststore in SSL info endpoint#48967

Closed
garvit-joshi wants to merge 3 commits intospring-projects:mainfrom
garvit-joshi:main
Closed

Show certificates from truststore in SSL info endpoint#48967
garvit-joshi wants to merge 3 commits intospring-projects:mainfrom
garvit-joshi:main

Conversation

@garvit-joshi
Copy link
Contributor

@garvit-joshi garvit-joshi commented Jan 26, 2026

Adds trustStoreCertificateChains field to BundleInfo to expose truststore certificates separately from keystore certificates in the SSL info endpoint.

Closes #45845

@garvit-joshi
Show certificates from truststore in SSL info endpoint
b283e21 
Signed-off-by: Garvit Joshi <garvitjoshi9@gmail.com>
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jan 26, 2026
@mhalbritter mhalbritter self-assigned this Jan 28, 2026
@mhalbritter mhalbritter mentioned this pull request Jan 28, 2026
Closed
@mhalbritter mhalbritter added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 28, 2026
@mhalbritter mhalbritter added this to the 4.1.x milestone Jan 28, 2026
@mhalbritter
Copy link
Contributor

mhalbritter commented Jan 28, 2026
edited
Loading

Hello @garvit-joshi,

thanks for the PR. I played around with it a bit, and while this works when the truststore has "Private Key" entries in it (secret key + certificate), it fails when a truststore only contains "Trusted Certificate" entries.

The reason is that KeyStore.getCertificateChain only works for "Private Key" entries, as stated in the JavaDoc:

Returns the certificate chain associated with the given alias. The certificate chain must have been associated with the alias by a call to setKeyEntry, or by a call to setEntry with a PrivateKeyEntry.

To get the (leaf) certificate for a "Trusted Certificate" entry, you'd need to call KeyStore.getCertificate. Hoewever, this will only give you the leaf certificate (the last one in the chain). So either we rename trustStoreCertificateChains to trustStoreCertificates or we need to go the hard route of getting the complete chain for a truststore "Trusted Certificate" entry.

You can use those two keystores to play around, the passwords for both the keystore and the private keys is secret. The keystore contains "Private Key" entries, while the truststore contains "Trusted Certificate" entries (I haven't put in the work to really create a chain of trust, it's all self-signed certificates without a real chain).

We should also verify that it works with a test which doesn't reuse the keystore as the truststore.

@mhalbritter mhalbritter added the status: waiting-for-feedback We need additional information before we can continue label Jan 28, 2026
@garvit-joshi
Handle trustedCertEntry in truststore and add separate keystore/trust…
c3bdfc6 
…store tests

Signed-off-by: Garvit Joshi <garvitjoshi9@gmail.com>
@garvit-joshi
Copy link
Contributor Author

garvit-joshi commented Jan 29, 2026

Hi @mhalbritter,

Thank you for the detailed feedback and for providing the test keystores!

I've updated the implementation to handle trustedCertEntry entries. The code now first tries getCertificateChain() for PrivateKeyEntry entries, and falls back to getCertificate() for trustedCertEntry entries.

I've also added a new test separateKeyStoreAndTrustStoreShouldProvideSslInfo() that uses separate keystore (with 2 PrivateKeyEntry entries) and truststore (with 3 trustedCertEntry entries) to verify both scenarios work correctly.

Thanks again for your guidance!

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Jan 29, 2026
@garvit-joshi
Formatted the tests
0749324 
Signed-off-by: Garvit Joshi <garvitjoshi9@gmail.com>
@garvit-joshi
Copy link
Contributor Author

garvit-joshi commented Feb 2, 2026

Build got failed due to formatting issues. I have formatted the required files.

garvit-joshi added a commit to garvit-joshi/pr-48967 that referenced this pull request Feb 2, 2026
@garvit-joshi
Test for PR #48967: Show certificates from truststore in SSL info end…
ff47a52 
…point

This project demonstrates the functionality added in spring-projects/spring-boot#48967,
which exposes truststore certificates through the SSL info actuator endpoint.

The /actuator/info endpoint now includes:
- Certificate chains with alias, issuer, subject, and validity info
- Truststore certificates with the same detailed information
- Support for multiple SSL bundles
@garvit-joshi
Copy link
Contributor Author

garvit-joshi commented Feb 2, 2026

Hi @mhalbritter,
I've created a small test project to verify the fix works correctly with the keystores you provided: https://github.com/garvit-joshi/pr-48967

The SSL info endpoint now correctly returns:

  • certificateChains: 2 entries from keystore (PrivateKeyEntry)
  • trustStoreCertificates: 3 entries from truststore (trustedCertEntry)

@mhalbritter mhalbritter removed the status: feedback-provided Feedback has been provided label Feb 6, 2026
mhalbritter pushed a commit that referenced this pull request Feb 6, 2026
@garvit-joshi @mhalbritter
Show certificates from truststore in SSL info endpoint
e1a1d0e 
See gh-48967

Signed-off-by: Garvit Joshi <garvitjoshi9@gmail.com>
mhalbritter added a commit that referenced this pull request Feb 6, 2026
@mhalbritter
Polish "Show certificates from truststore in SSL info endpoint"
27b9402 
See gh-48967
@mhalbritter
Copy link
Contributor

mhalbritter commented Feb 6, 2026

Thanks @garvit-joshi !

@mhalbritter mhalbritter modified the milestones: 4.1.x, 4.1.0-M2 Feb 6, 2026
@tommyk-gears tommyk-gears mentioned this pull request Feb 25, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@mhalbritter mhalbritter

Labels

type: enhancement A general enhancement

Projects

None yet

Milestone

4.1.0-M2

Development

Successfully merging this pull request may close these issues.

Show certificates from truststore in SSL info endpoint

3 participants

@garvit-joshi @mhalbritter @spring-projects-issues