Skip to content

Show certificates from truststore in SSL info endpoint#48967

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
garvit-joshi wants to merge 1 commit into
base:main
Choose a base branch
from
Open

Show certificates from truststore in SSL info endpoint #48967

garvit-joshi wants to merge 1 commit into from
+80 −2

Conversation

@garvit-joshi
Copy link

@garvit-joshigarvit-joshi commented Jan 26, 2026

Adds trustStoreCertificateChains field to BundleInfo to expose truststore certificates separately from keystore certificates in the SSL info endpoint.

Closes#45845

@garvit-joshi
Show certificates from truststore in SSL info endpoint
b283e21
Signed-off-by: Garvit Joshi <garvitjoshi9@gmail.com>
@spring-projects-issuesspring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jan 26, 2026
@mhalbrittermhalbritter self-assigned this Jan 28, 2026
@mhalbrittermhalbritter mentioned this pull request Jan 28, 2026
Closed
@mhalbrittermhalbritter added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 28, 2026
@mhalbrittermhalbritter added this to the 4.1.x milestone Jan 28, 2026
@mhalbritter
Copy link
Contributor

mhalbritter commented Jan 28, 2026
edited
Loading

Hello @garvit-joshi,

thanks for the PR. I played around with it a bit, and while this works when the truststore has "Private Key" entries in it (secret key + certificate), it fails when a truststore only contains "Trusted Certificate" entries.

The reason is that KeyStore.getCertificateChain only works for "Private Key" entries, as stated in the JavaDoc:

Returns the certificate chain associated with the given alias. The certificate chain must have been associated with the alias by a call to setKeyEntry, or by a call to setEntry with a PrivateKeyEntry.

To get the (leaf) certificate for a "Trusted Certificate" entry, you'd need to call KeyStore.getCertificate. Hoewever, this will only give you the leaf certificate (the last one in the chain). So either we rename trustStoreCertificateChains to trustStoreCertificates or we need to go the hard route of getting the complete chain for a truststore "Trusted Certificate" entry.

You can use those two keystores to play around, the passwords for both the keystore and the private keys is secret. The keystore contains "Private Key" entries, while the truststore contains "Trusted Certificate" entries (I haven't put in the work to really create a chain of trust, it's all self-signed certificates without a real chain).

We should also verify that it works with a test which doesn't reuse the keystore as the truststore.

@mhalbrittermhalbritter added the status: waiting-for-feedback We need additional information before we can continue label Jan 28, 2026
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@mhalbrittermhalbritter

Labels

status: waiting-for-feedbackWe need additional information before we can continuetype: enhancementA general enhancement

Projects

None yet

Milestone

4.1.x

Development

Successfully merging this pull request may close these issues.

Show certificates from truststore in SSL info endpoint

3 participants

@garvit-joshi@mhalbritter@spring-projects-issues