How to configure Spring Boot with PEM certificates for TLS/SSL communication

A few months ago, asymmetric encryption in Spring Boot for HTTPS TLS communication worked only by using a key store.

A key store is a file containing a set of cryptographic keys (might contain public, private, and other types of keys) protected by a password. In the Java environment there are high chances of encountering JKS (Java KeyStore .jsk) and PKCS12 (Public Key Cryptographic Standards #12 .p12 or .pfx). JKS is a Java-specific format, while PKCS12 is a widely recognized, industry-standard format.

PEM (Privacy Enhancement for Internet Electronic Mail) .pem is a standard format and, unlike key stores, this is not encrypted and could contain any cryptographic keys. This format is frequently encountered in open-source projects.

LetsEncrypt.org is a non-profit certificate authority able to provide free certificates and is run by the Internet Security Research Group (ISRG). It uses a tool called certbot which generates a series of keys in the PEM format:

• privkey.pem: private key of the certification – shall NEVER be shared
• fullchain.pem: contains both cert.pem (first one in the list) and chain.pem; they are linked from top to bottom, the first being the leaf and the last being the root
• cert.pem: server certificate (aka leaf certificate or end-entity certificate)
• chain.pem: intermediate certificate(s) used by browsers the validate the server certificate

Previously, these certificates needed to be converted to a server-recognizable format, and they also needed some additional mechanism to be configured in case automatic renewal was used. Since Spring Boot version 2.7, we can now use PEM certificates by configuring the paths to the private key and the entire chain. One way to achieve that is to use the application.properties (or YAML) file:

application.properties

server.ssl.certificate-private-key=<path_to_file>/privkey.pem
server.ssl.certificate=<path_to_file>/fullchain.pem

application.yaml / application.yml

server:
  ssl:
    certificate-private-key: <path_to_file>/privkey.pem
    certificate: <path_to_file>/fullchain.pem

Here are the Spring Boot TLS PEM configurable properties:

• server.ssl.certificate public key path
• server.ssl.certificate-private-key private key path
• server.ssl.trust-certificate trust certificate / certificate authority path
• server.ssl.trust-certificate-private-key trust certitifcate / certificate authority private key

Many web servers like NGINX, Netty, Tomcat, Jetty, and Undertow support TLS PEM certificates and are configured similarly.

Resource

• Keystores Explained
• JKS Explained
• PKCS12 Explained
• Spring SSL PEM Configuration Parameters
• Certbot Certificates Explained
• Spring Boot 2.7 Release Notes