Baeldung Pro – NPI EA (cat = Baeldung)
announcement - icon

Baeldung Pro comes with both absolutely No-Ads as well as finally with Dark Mode, for a clean learning experience:

>> Explore a clean Baeldung

Once the early-adopter seats are all used, the price will go up and stay at $33/year.

Partner – Microsoft – NPI EA (cat = Baeldung)
announcement - icon

Azure Container Apps is a fully managed serverless container service that enables you to build and deploy modern, cloud-native Java applications and microservices at scale. It offers a simplified developer experience while providing the flexibility and portability of containers.

Of course, Azure Container Apps has really solid support for our ecosystem, from a number of build options, managed Java components, native metrics, dynamic logger, and quite a bit more.

To learn more about Java features on Azure Container Apps, visit the documentation page.

You can also ask questions and leave feedback on the Azure Container Apps GitHub page.

Partner – Microsoft – NPI EA (cat= Spring Boot)
announcement - icon

Azure Container Apps is a fully managed serverless container service that enables you to build and deploy modern, cloud-native Java applications and microservices at scale. It offers a simplified developer experience while providing the flexibility and portability of containers.

Of course, Azure Container Apps has really solid support for our ecosystem, from a number of build options, managed Java components, native metrics, dynamic logger, and quite a bit more.

To learn more about Java features on Azure Container Apps, you can get started over on the documentation page.

And, you can also ask questions and leave feedback on the Azure Container Apps GitHub page.

Partner – Orkes – NPI EA (cat=Spring)
announcement - icon

Modern software architecture is often broken. Slow delivery leads to missed opportunities, innovation is stalled due to architectural complexities, and engineering resources are exceedingly expensive.

Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.

With Orkes Conductor managed through Orkes Cloud, developers can focus on building mission critical applications without worrying about infrastructure maintenance to meet goals and, simply put, taking new products live faster and reducing total cost of ownership.

Try a 14-Day Free Trial of Orkes Conductor today.

Partner – Orkes – NPI EA (tag=Microservices)
announcement - icon

Modern software architecture is often broken. Slow delivery leads to missed opportunities, innovation is stalled due to architectural complexities, and engineering resources are exceedingly expensive.

Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.

With Orkes Conductor managed through Orkes Cloud, developers can focus on building mission critical applications without worrying about infrastructure maintenance to meet goals and, simply put, taking new products live faster and reducing total cost of ownership.

Try a 14-Day Free Trial of Orkes Conductor today.

eBook – Guide Spring Cloud – NPI EA (cat=Spring Cloud)
announcement - icon

Let's get started with a Microservice Architecture with Spring Cloud:

>> Join Pro and download the eBook

eBook – Mockito – NPI EA (tag = Mockito)
announcement - icon

Mocking is an essential part of unit testing, and the Mockito library makes it easy to write clean and intuitive unit tests for your Java code.

Get started with mocking and improve your application tests using our Mockito guide:

Download the eBook

eBook – Java Concurrency – NPI EA (cat=Java Concurrency)
announcement - icon

Handling concurrency in an application can be a tricky process with many potential pitfalls. A solid grasp of the fundamentals will go a long way to help minimize these issues.

Get started with understanding multi-threaded applications with our Java Concurrency guide:

>> Download the eBook

eBook – Reactive – NPI EA (cat=Reactive)
announcement - icon

Spring 5 added support for reactive programming with the Spring WebFlux module, which has been improved upon ever since. Get started with the Reactor project basics and reactive programming in Spring Boot:

>> Join Pro and download the eBook

eBook – Java Streams – NPI EA (cat=Java Streams)
announcement - icon

Since its introduction in Java 8, the Stream API has become a staple of Java development. The basic operations like iterating, filtering, mapping sequences of elements are deceptively simple to use.

But these can also be overused and fall into some common pitfalls.

To get a better understanding on how Streams work and how to combine them with other language features, check out our guide to Java Streams:

>> Join Pro and download the eBook

eBook – Jackson – NPI EA (cat=Jackson)
announcement - icon

Do JSON right with Jackson

Download the E-book

eBook – HTTP Client – NPI EA (cat=Http Client-Side)
announcement - icon

Get the most out of the Apache HTTP Client

Download the E-book

eBook – Maven – NPI EA (cat = Maven)
announcement - icon

Get Started with Apache Maven:

Download the E-book

eBook – Persistence – NPI EA (cat=Persistence)
announcement - icon

Working on getting your persistence layer right with Spring?

Explore the eBook

eBook – RwS – NPI EA (cat=Spring MVC)
announcement - icon

Building a REST API with Spring?

Download the E-book

Course – LS – NPI EA (cat=Jackson)
announcement - icon

Get started with Spring and Spring Boot, through the Learn Spring course:

>> LEARN SPRING
Course – RWSB – NPI EA (cat=REST)
announcement - icon

Explore Spring Boot 3 and Spring 6 in-depth through building a full REST API with the framework:

>> The New “REST With Spring Boot”

Course – LSS – NPI EA (cat=Spring Security)
announcement - icon

Yes, Spring Security can be complex, from the more advanced functionality within the Core to the deep OAuth support in the framework.

I built the security material as two full courses - Core and OAuth, to get practical with these more complex scenarios. We explore when and how to use each feature and code through it on the backing project.

You can explore the course here:

>> Learn Spring Security

Course – All Access – NPI EA (cat= Spring)
announcement - icon

All Access is finally out, with all of my Spring courses. Learn JUnit is out as well, and Learn Maven is coming fast. And, of course, quite a bit more affordable. Finally.

>> GET THE COURSE
Course – LSD – NPI EA (tag=Spring Data JPA)
announcement - icon

Spring Data JPA is a great way to handle the complexity of JPA with the powerful simplicity of Spring Boot.

Get started with Spring Data JPA through the guided reference course:

>> CHECK OUT THE COURSE

Partner – LambdaTest – NPI EA (cat=Testing)
announcement - icon

End-to-end testing is a very useful method to make sure that your application works as intended. This highlights issues in the overall functionality of the software, that the unit and integration test stages may miss.

Playwright is an easy-to-use, but powerful tool that automates end-to-end testing, and supports all modern browsers and platforms.

When coupled with LambdaTest (an AI-powered cloud-based test execution platform) it can be further scaled to run the Playwright scripts in parallel across 3000+ browser and device combinations:

>> Automated End-to-End Testing With Playwright

Course – Spring Sale 2025 – NPI EA (cat= Baeldung)
announcement - icon

Yes, we're now running our Spring Sale. All Courses are 25% off until 26th May, 2025:

>> EXPLORE ACCESS NOW

Course – Spring Sale 2025 – NPI (cat=Baeldung)
announcement - icon

Yes, we're now running our Spring Sale. All Courses are 25% off until 26th May, 2025:

>> EXPLORE ACCESS NOW

Course – LSS – NPI (cat=Spring Security)
announcement - icon

If you're working on a Spring Security (and especially an OAuth) implementation, definitely have a look at the Learn Spring Security course:

>> LEARN SPRING SECURITY

1. Introduction

Managing secure communications in Spring Boot applications often involves dealing with complex configurations. The challenges usually start with handling trust material, such as certificates and private keys, that come in various formats like JKS, PKCS #12, or PEM. Each of these formats has its own set of requirements for how it should be processed.

Fortunately, Spring Boot 3.1 introduces SSL Bundles, a feature designed to simplify these complexities. In this tutorial, we’ll explore what SSL Bundles are and how they can streamline SSL configuration tasks for Spring Boot applications.

2. Spring Boot SSL Bundles

Usually, once we’ve obtained the trust material, we need to turn it into Java objects that the application can work with. This often means dealing with classes like java.security.KeyStore for storing key material, javax.net.ssl.KeyManager for managing this key material, and javax.net.ssl.SSLContext for creating secure socket connections.

Each of these classes requires another layer of understanding and configuration, making the process tedious and error-prone. Various Spring Boot components might also necessitate delving into different layers of abstraction to apply these settings, adding another level of difficulty to the task.

An SSL Bundle encapsulates all the trust material and configuration settings, such as keystores, certificates, and private keys, into a single, easily manageable unit. Once an SSL Bundle is configured, it can be applied to one or more network connections, whether they are incoming or outgoing.

Configuration properties for SSL Bundles reside under the spring.ssl.bundle prefix in the application.yaml or application.properties configuration files.

Let’s start with JKS Bundles. We use spring.ssl.bundle.jks to configure bundles that use Java Keystore files:

spring:
  ssl:
    bundle:
      jks:
        server:
          key:
            alias: "server"
          keystore:
            location: "classpath:server.p12"
            password: "secret"
            type: "PKCS12"

In the case of PEM Bundles, we use spring.ssl.bundle.pem to configure bundles using PEM-encoded text files:

spring:
  ssl:
    bundle:
      pem:
        client:
          truststore:
            certificate: "classpath:client.crt"

Once these bundles are configured, they can be applied across microservices—whether it’s an Inventory Service needing to securely access a database, a User Authentication Service requiring secure API calls, or a Payment Processing Service securely communicating with a payment gateway.

Spring Boot automates the creation of Java objects like KeyStore, KeyManager, and SSLContext based on SSL Bundle configurations. This removes the need to manually create and manage these objects, making the process more straightforward and less prone to errors.

3. Securing RestTemplate With SSL Bundles

Let’s start with leveraging SSL Bundles while using the RestTemplate bean. For that, we’ll use a sample Spring Boot app, but first, we need to generate keys that will be used as an SSL Bundle.

We’ll use the openssl binary (that’s usually installed along with git) to generate keys by executing the following command from the project root:

$ openssl req -x509 -newkey rsa:4096 -keyout src/main/resources/key.pem -out src/main/resources/cert.pem -days 365 -passout pass:FooBar

Now, let’s convert this key to the PKCS12 format:

$ openssl pkcs12 -export -in src/main/resources/cert.pem -inkey src/main/resources/key.pem -out src/main/resources/keystore.p12 -name secure-service -passin pass:FooBar -passout pass:FooBar

As a result, we have everything for configuring SSL bundles; let’s define a bundle named “secure-service”  in the application.yml file:

spring:
 ssl:
   bundle:
     jks:
       secure-service:
         key:
           alias: "secure-service"
         keystore:
           location: "classpath:keystore.p12"
           password: "FooBar"
           type: "PKCS12"

Next, we can set our bundle on RestTemplate by calling the setSslBundle() method:

@Bean
public RestTemplate restTemplate(RestTemplateBuilder restTemplateBuilder, SslBundles sslBundles) {
    return restTemplateBuilder.setSslBundle(sslBundles.getBundle("secure-service")).build();
}

Finally, we can use the configured RestTemplate bean to call an API:

@Service
public class SecureServiceRestApi {
    private final RestTemplate restTemplate;

    @Autowired
    public SecureServiceRestApi(RestTemplate restTemplate) {
        this.restTemplate = restTemplate;
    }

    public String fetchData(String dataId) {
        ResponseEntity<String> response = restTemplate.exchange(
          "https://secure-service.com/api/data/{id}",
          HttpMethod.GET,
          null,
          String.class,
          dataId
        );
        return response.getBody();
    }
}

The SSL Bundle in our Spring Boot application serves to validate the certificate of the secure-service, ensuring an encrypted and secure communication channel. However, this doesn’t limit us from using client certificates for authentication on the API side. We’ll see later how to obtain SSLContext to configure custom clients.

4. Leveraging Spring Boot’s Auto-Configured SSLBundles

Before Spring Boot’s SSL Bundles, developers used to work with the classic Java classes that underpin SSL configurations:

  • java.security.KeyStore: These instances are used as keystores and truststores, effectively serving as secure repositories of cryptographic keys and certificates.
  • javax.net.ssl.KeyManager and javax.net.ssl.TrustManager: These instances manage the keys and trust decisions during SSL communications, respectively.
  • javax.net.ssl.SSLContext: These instances act as a factory for SSLEngine and SSLSocket objects, orchestrating how SSL configurations are implemented at runtime.

Spring Boot 3.1 introduces a structured abstraction layer divided into Java interfaces:

  • SslStoreBundle: Offers a gateway to KeyStore objects containing cryptographic keys and trusted certificates.
  • SslManagerBundle: Coordinates and provides methods to manage KeyManager and TrustManager objects.
  • SslBundle: Serves as a one-stop shop, aggregating all these functionalities into a unified interaction model with the SSL ecosystem.

Subsequently, Spring Boot auto-configures an SslBundles bean. As a result, we can conveniently inject SslBundle instances into any Spring Bean. This is exceptionally useful for configuring secure communications for legacy codebase and custom REST clients.

For example, let’s consider a custom SSLContext is needed for a custom secure HttpClient:

@Component
public class SecureRestTemplateConfig {
    private final SSLContext sslContext;

    @Autowired
    public SecureRestTemplateConfig(SslBundles sslBundles) throws NoSuchSslBundleException {
        SslBundle sslBundle = sslBundles.getBundle("secure-service");
        this.sslContext = sslBundle.createSslContext();
    }

    @Bean
    public RestTemplate secureRestTemplate() {
        SSLConnectionSocketFactory sslSocketFactory = SSLConnectionSocketFactoryBuilder.create().setSslContext(this.sslContext).build();
        HttpClientConnectionManager cm = PoolingHttpClientConnectionManagerBuilder.create().setSSLSocketFactory(sslSocketFactory).build();
        HttpClient httpClient = HttpClients.custom().setConnectionManager(cm).evictExpiredConnections().build();
        HttpComponentsClientHttpRequestFactory factory = new HttpComponentsClientHttpRequestFactory(httpClient);
        return new RestTemplate(factory);
    }
}

In the code above, we inject the SslBundles instance into the Autowired constructor. Actually, SslBundles provides us access to all configured SSL Bundles. Therefore, we retrieve the secure-service bundle and create the context. Later, we use the SSLContext instance to create a custom HttpClient and apply it to create a RestTemplate bean.

5. Using SSL Bundles With Data Services

Different data services have varying degrees of SSL configuration options, creating complexities during the configuration process.

SSL Bundles introduces a more uniform approach to SSL configurations across a wide range of data services:

  • Cassandra: spring.cassandra.ssl
  • Couchbase: spring.couchbase.env.ssl
  • Elasticsearch: spring.elasticsearch.restclient.ssl
  • MongoDB: spring.data.mongodb.ssl
  • Redis: spring.data.redis.ssl

Now, most of these services support a *.ssl.enabled property. This property activates SSL support in the client library, leveraging the trust material found in the Java runtime’s cacerts.

Additionally, the *.ssl.bundle property allows us to apply a named SSL bundle to customize the trust material, thereby achieving uniformity and reusability across multiple service connections.

For this example, let’s assume that there’s an SSL bundle named mongodb-ssl-bundle. This bundle contains the necessary trust material to secure connections to a MongoDB instance.

Let’s define the application.yml file:

spring:
  data:
    mongodb:
      ssl:
        enabled: true
        bundle: mongodb-ssl-bundle

By simply adding these properties, the MongoDB client library in the Spring Boot application automatically uses the SSL context and trust material specified in mongodb-ssl-bundle.

6. Using SSL Bundles With Embedded Servers

Managing SSL configurations for embedded web servers in Spring Boot can be also simplified by using SSL Bundles.

Traditionally, the server.ssl.*  properties have been used for setting each individual SSL configuration. With SSL Bundles, configurations can be grouped together and then reused across multiple connections, reducing the chance of mistakes and simplifying overall management.

Firstly, let’s explore the traditional, individual property approach:

server:
  ssl:
    key-alias: "server"
    key-password: "keysecret"
    key-store: "classpath:server.p12"
    key-store-password: "storesecret"
    client-auth: NEED

On the other hand, the SSL Bundle approach allows for the same configurations to be encapsulated:

spring:
  ssl:
    bundle:
      jks:
        web-server:
          key:
            alias: "server"
            password: "keysecret"
          keystore:
            location: "classpath:server.p12"
            password: "storesecret"

Now, we can use the defined bundle for securing our web server:

server:
  ssl:
    bundle: "web-server"
    client-auth: NEED

While both approaches secure an embedded web server, the SSL Bundle method is more efficient for configuration management. This feature is also available for other configurations like management.server.ssl and spring.rsocket.server.ssl.

7. Conclusion

In this article, we explored the new SSL Bundles feature in Spring Boot that can simplify and unify the process of configuring trust materials.

In contrast to traditional server.ssl.* properties, SSL Bundles offer a structured way to manage both keystores and truststores. This is particularly beneficial for reducing misconfiguration risks and increasing the efficiency of managing SSL across multiple services.

Furthermore, SSL Bundles lend themselves well to centralized management, allowing the same bundle to be reused across different parts of the application.

By incorporating SSL bundles, developers can not only simplify the configuration process but also elevate the security posture of embedded web servers in Spring Boot applications.

The code backing this article is available on GitHub. Once you're logged in as a Baeldung Pro Member, start learning and coding on the project.
Baeldung Pro – NPI EA (cat = Baeldung)
announcement - icon

Baeldung Pro comes with both absolutely No-Ads as well as finally with Dark Mode, for a clean learning experience:

>> Explore a clean Baeldung

Once the early-adopter seats are all used, the price will go up and stay at $33/year.

Partner – Microsoft – NPI EA (cat = Spring Boot)
announcement - icon

Azure Container Apps is a fully managed serverless container service that enables you to build and deploy modern, cloud-native Java applications and microservices at scale. It offers a simplified developer experience while providing the flexibility and portability of containers.

Of course, Azure Container Apps has really solid support for our ecosystem, from a number of build options, managed Java components, native metrics, dynamic logger, and quite a bit more.

To learn more about Java features on Azure Container Apps, visit the documentation page.

You can also ask questions and leave feedback on the Azure Container Apps GitHub page.

Partner – Orkes – NPI EA (cat = Spring)
announcement - icon

Modern software architecture is often broken. Slow delivery leads to missed opportunities, innovation is stalled due to architectural complexities, and engineering resources are exceedingly expensive.

Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.

With Orkes Conductor managed through Orkes Cloud, developers can focus on building mission critical applications without worrying about infrastructure maintenance to meet goals and, simply put, taking new products live faster and reducing total cost of ownership.

Try a 14-Day Free Trial of Orkes Conductor today.

Partner – Orkes – NPI EA (tag = Microservices)
announcement - icon

Modern software architecture is often broken. Slow delivery leads to missed opportunities, innovation is stalled due to architectural complexities, and engineering resources are exceedingly expensive.

Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.

With Orkes Conductor managed through Orkes Cloud, developers can focus on building mission critical applications without worrying about infrastructure maintenance to meet goals and, simply put, taking new products live faster and reducing total cost of ownership.

Try a 14-Day Free Trial of Orkes Conductor today.

eBook – HTTP Client – NPI EA (cat=HTTP Client-Side)
announcement - icon

The Apache HTTP Client is a very robust library, suitable for both simple and advanced use cases when testing HTTP endpoints. Check out our guide covering basic request and response handling, as well as security, cookies, timeouts, and more:

>> Download the eBook

eBook – Java Concurrency – NPI EA (cat=Java Concurrency)
announcement - icon

Handling concurrency in an application can be a tricky process with many potential pitfalls. A solid grasp of the fundamentals will go a long way to help minimize these issues.

Get started with understanding multi-threaded applications with our Java Concurrency guide:

>> Download the eBook

eBook – Java Streams – NPI EA (cat=Java Streams)
announcement - icon

Since its introduction in Java 8, the Stream API has become a staple of Java development. The basic operations like iterating, filtering, mapping sequences of elements are deceptively simple to use.

But these can also be overused and fall into some common pitfalls.

To get a better understanding on how Streams work and how to combine them with other language features, check out our guide to Java Streams:

>> Join Pro and download the eBook

eBook – Persistence – NPI EA (cat=Persistence)
announcement - icon

Working on getting your persistence layer right with Spring?

Explore the eBook

Course – LS – NPI EA (cat=REST)

announcement - icon

Get started with Spring Boot and with core Spring, through the Learn Spring course:

>> CHECK OUT THE COURSE

Course – Spring Sale 2025 – NPI EA (cat= Baeldung)
announcement - icon

Yes, we're now running our Spring Sale. All Courses are 25% off until 26th May, 2025:

>> EXPLORE ACCESS NOW

Course – Spring Sale 2025 – NPI (All)
announcement - icon

Yes, we're now running our Spring Sale. All Courses are 25% off until 26th May, 2025:

>> EXPLORE ACCESS NOW

Course – LSS – NPI (cat=Security/Spring Security)
announcement - icon

I just announced the new Learn Spring Security course, including the full material focused on the new OAuth2 stack in Spring Security:

>> CHECK OUT THE COURSE

Partner – Microsoft – NPI (cat=Spring)
announcement - icon

Azure Container Apps is a fully managed serverless container service that enables you to build and deploy modern, cloud-native Java applications and microservices at scale. It offers a simplified developer experience while providing the flexibility and portability of containers.

Of course, Azure Container Apps has really solid support for our ecosystem, from a number of build options, managed Java components, native metrics, dynamic logger, and quite a bit more.

To learn more about Java features on Azure Container Apps, visit the documentation page.

You can also ask questions and leave feedback on the Azure Container Apps GitHub page.

eBook Jackson – NPI EA – 3 (cat = Jackson)
4 Comments
Oldest
Newest
Inline Feedbacks
View all comments