A server configured with ssl has a key material and trust material. These materials are generated from a keypair and certificate which always have an expiration date. In a traditional server configuration a reboot of the server is required to apply the latest key material and trust material changes when the keystore and truststore are changed. A downtime is therefore unavoidable. This project demonstrates with a basic setup how update the server certificate from an external source without the need of restarting your server. In this way you can achieve zero downtime.
The repository contains:
- Server, based on gRPC with Netty
The server has currently one way to update the existing ssl material:
-
File based aka file change listener, see here for the implementation: FilesBasedSslUpdateService
-
REST, This option is hosted in a separate module within this repository, see here: AdminController
-
Databased based, aka database change listener. This option is hosted in a separate module within this repository, see here: Instant SSL Reloading With Database
- Java 21
- Terminal
The server will check every minute for changes on the ssl material, in this case the identity.jks
and truststore.jks
. You will need to specify where the service should look for these files. Please change the properties below in FileBasedSslUpdateService.
private static final Path identityPath = Path.of("/path/to/your/identity.jks");
private static final Path trustStorePath = Path.of("/path/to/your/truststore.jks");
private static final char[] identityPassword = "secret".toCharArray();
private static final char[] trustStorePassword = "secret".toCharArray();
- run
mvn clean install
on the root directory of this repository - run
mvn exec:java
on the instant-server-ssl-reloading-with-grpc
Visit the server with the following url on your browser: https://localhost:8443/ Open the certificate details in your browser by clicking on the lock logo (on Chrome). You will see a similar certificate detail as shown below:
Please note down the expiration date. Afterwords you will compare it when you have run the admin application.
Wait for one minute and if the keystores are found and have been updated, then the ssl configuration will be updated. Refresh your browser tab and open the certificate details again and compare the expiration date with the one you have noted down. You should have a similar certificate detail as shown below: