Written by 
I have a Spring Boot SSL Bundle defined as follows
spring:
ssl:
bundle:
watch:
file:
quiet-period: 20s
pem:
fos-internal-cert-bundle:
reload-on-update: ${INTERNAL_CERT_RELOAD:true}
keystore:
certificate: ${INTERNAL_CERT:classpath:cert/client-certificate.pem}
private-key: ${INTERNAL_CERT_PRIVATE_KEY:classpath:cert/private.key}
This SSL bundle is used in Rest Template as follows:
@Bean("restTemplateWithCertificate")
public RestTemplate restTemplateWithBdfCertificate(
RestTemplateBuilder builder, RestClientProperties clientProperties, SslBundles sslBundles) {
SslBundle sslBundle = sslBundles.getBundle("fos-internal-cert-bundle");
return builder
.requestFactory(HttpComponentsClientHttpRequestFactory.class)
.additionalInterceptors(new HeaderRequestInterceptor())
.setReadTimeout(Duration.ofSeconds(clientProperties.getReadTimeoutSec()))
.setConnectTimeout(Duration.ofSeconds(clientProperties.getConnectionTimeoutSec()))
.setSslBundle(sslBundle)
.build();
}
The certificates that I am using are updated by a cron job and auto reloaded, as shown in the YAML fragment. I had the following questions:
- Does the Rest Template bean automatically load the new certificate.
- We have a situation where the cron job occasionally malfunctions and we need to have fall back design that will look like this. Is it create a new instance of the SSL Bundle and update the Singleton bean? Or should it be destroyed and recreated? (I know this is not possibly the most robust design
try{
use restTemplate to call remote svc
} catch Exception {
if SSL certificate expires, fetch updated certificate through an API
call the remote svc again
}