It would be cool to have a feature where the webserver could hot-reload the TLS certificates: all the existing connections still use the old certificate, while new connections use the new certificate.
Investigate if and how this is possible, starting with Tomcat. In that context we should also think about what triggers the certificate reload: files changed on file system, event from the application event system, etc.
Comment From: mhalbritter
Details on how to get TLS certificates from Azure Key Vault: https://learn.microsoft.com/en-us/azure/developer/java/fundamentals/java-azure-keyvault-ssl-integration-jvm
Details how Azure Key Vault gets the certificates to Tomcat: https://learn.microsoft.com/en-us/azure/developer/java/fundamentals/java-azure-keyvault-tomcat-integration?tabs=linux
Comment From: philwebb
Related Tomcat issue https://bz.apache.org/bugzilla/show_bug.cgi?id=65770
Comment From: martamedio
In the commercial version of Spring Cloud Gateway (SCG-K8s) we have been able to implement hot reloading of certificates for incoming and outgoing TLS communications. Basically what we have done is to monitor the change of the associated file/certificate and, once detected this change, thanks to the @RefreshScope annotation we have forced the refresh of the Beans that read or make use of the new associated file/certificate, so that new connections would already use the new certificate without the need to restart the application.
Our changes were very Spring Cloud architecture + K8s oriented, but if it can be helpful for you, I'll be happy to share more technical details.
Comment From: nebhale
Additional prior art from the Cloud Foundry Java Buildpack: https://github.com/cloudfoundry/java-buildpack-security-provider.
Comment From: mhalbritter
Implemented in https://github.com/spring-projects/spring-boot/pull/37808