SpringBoot Provide autoconfiguration to enable TLS for Web Server using PEM files instead of Keystore

It is now possible to make your web server TLS enabled using properties such as server.ssl.key-store. However, it only supports Keystore and does not support the widely used PEM format. In Kubernetes, it is common to store TLS certs as PEM files in Secret. cert-manager, which is popular for issuing certificates, also creates a Secret in PEM format. If my understanding is correct, in order to enable TLS using this PEM file in a Spring Boot application, you need to convert it to a jks file using keytool. In Kubernetes initContainer to mount the TLS PEM file from Secret and perform this conversion process is required, which is very painful. As far as I can simply find out, Tomcat and Netty (maybe others) can pass PEM files directly in addition to the KeyStore to enable TLS as follows.

    // Netty
    @Bean
    public NettyServerCustomizer customizer() {
        return httpServer -> httpServer.secure(sslContextSpec -> {
            Http11SslContextSpec spec = Http11SslContextSpec.forServer(new File("<path to server.crt>"), new File("<path to server.key>"));
            sslContextSpec.sslContext(spec);
        });
    }

    // Tomcat
    @Bean
    public TomcatConnectorCustomizer customizer() {
        return connector -> {
            AbstractHttp11JsseProtocol<?> protocol = (AbstractHttp11JsseProtocol) connector.getProtocolHandler();
            protocol.setSSLEnabled(true);
            protocol.setSSLCertificateFile("<path to server.crt>");
            protocol.setSSLCertificateKeyFile("<path to server.key>");
        };
    }

It tested above code with self-signed certificates generated as follows

mkdir certs
curl -sL https://gist.github.com/making/92dc4c3ab7ee7be8a31f5f8345c6df88/raw/fa6f6ef52b74af7af20a2ac8cd921a98f5650a91/generate-certs.sh > certs/generate-certs.sh 
docker run --rm -v ${PWD}/certs:/certs hitch bash /certs/generate-certs.sh 127-0-0-1.sslip.io

It would be very convenient if this was provided in the auto configuration.

(Tip: cert-manager uses PKCS#1 format by default. It won't work unless you set PKCS#8 in certificate.spec.privateKey.encoding)

related issue #24940

Comment From: philwebb

We'll have to also look at Jetty and Undertow. Regardless, I think this would be a nice enhancement.